Massive healthcare data breach leaves 4.5 million patients’ personal data exposed — what to do now

An open lock depicting a data breach
(Image credit: Shutterstock)

Unlike when your Facebook gets hacked or you fall victim to a phishing attack, your personal information can be exposed online through no fault of your own when a company you do business with suffers a data breach. However, this can also happen when a third-party service provider used by multiple companies is attacked by hackers.

As reported by BleepingComputer, the health management solution company HealthEC suffered a data breach over the summer and as a result, the personal data and health information of 4.5 million patients was stolen by hackers. While HealthEC isn’t exactly a household name, its health management platform is used by 26 different healthcare organizations in 18 states across the U.S.

For this reason, you’re going to want to be extra careful if you’ve used any of the affected healthcare providers or services over the past year as the data stolen in this cyberattack could easily be used to commit fraud or even identity theft.

Multiple healthcare providers affected

The data breach itself occurred between July 14 and July 23 of 2023, when hackers managed to gain unauthorized access to some of HealthEC's systems. Following an investigation into the matter that concluded in October 2023, it was revealed that patient’s names, addresses, dates of birth, Social Security numbers (SSNs), taxpayer identification numbers, medical record numbers, medical information, health insurance information and billing and claims information was stolen from HealthEC’s breached systems.

Based on a data breach notification submitted to the Attorney General’s office in Maine, it was initially thought that just over 100,000 people are impacted by this data breach. However, a new listing on the U.S. Department of Health and Human Services’ breach portal shows that the total number of affected individuals is actually much higher at approximately 4,452,782.

So far, there are 17 healthcare service providers and state-level health systems that have been impacted by the cyberattack on HealthEC. In a cybersecurity notice published on its site, the company explains that some of its affected business partners include Corewell Health, HonorHealth, Community Health Care Systems, State of Tennessee, Long Island Select Healthcare and others.

What to do next if your personal data was exposed

A shocked couple realizing they've been scammed

(Image credit: Shutterstock)

Unlike other companies that have fallen victim to a major data breach, HealthEC isn’t offering free access to the best identity theft protection services. However, its business partners may do so for their own customers.

As such, if you have been a customer of any of the affected healthcare providers and organizations, you’re going to want to frequently check your mailbox for any data breach notification letters. These letters often contain advice and steps you can take to protect your exposed personal data and they may also include a code to sign up for an identity theft protection service or a credit monitoring service.

HealthEC recommends that all affected patients carefully review their bank statements for signs of suspicious activity or fraud. Likewise, the firm also suggests they place a fraud alert on their credit file which is free to do. Alternatively, you may also want to place a credit freeze on your credit report to prevent anyone from taking out loans or mortgages in your name using your stolen personal information.

This is the second healthcare-related data breach we’ve seen in recent months and as healthcare providers and the companies they work with manage all sorts of personal data, this trend will likely continue as cybercriminals look for new ways to gain access to SSNs and other valuable customer data to use in future attacks.

More from Tom's Guide

Anthony Spadafora
Senior Editor Security and Networking

Anthony Spadafora is the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to password managers and the best way to cover your whole home or business with Wi-Fi. Before joining the team, he wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home.