HealthEC disclosed a breach of almost 4.5 million records belonging to patients signed up to 18 U.S. healthcare providers.
HealthEC sells a population health management solution that healthcare providers rely upon to analyze, forecast and plan engagements with patients, meaning the vendor holds individuals’ personal, medical, and financial data.
The company disclosed the hack on Dec. 22, the same day it and its impacted clients began sending breach disclosure letters to affected patients.
It wasn’t until this week, however, when HealthEC’s filing regarding the incident was published on the Department of Health and Human Services’ breach portal, that the extent of the attack became publicly known. According to the HHS listing, 4,452,782 individuals were affected by the breach.
In its initial disclosure, HealthEC said unidentified threat actors accessed some of its systems from July 14-23 last year, during which time certain files were copied.
The 18 affected clients included the Alliance for Integrated Care of New York, Beaumont ACO, Corewell Health, HonorHealth, TennCare, and the University Medical Center of Princeton Physicians’ Organization.
Files that were stolen included patients’ personal details such as Social Security and Taxpayer Identification Numbers, their medical condition, treatment and prescription details, health insurance information, and billing and claims records.
