Associated Incidents
Serviceaide, a provider of agentic artificial intelligence-based IT management and workflow software, reported to regulators that an inadvertent exposure of data on the web has affected more than 483,000 patients of client Catholic Health, a network of six hospitals and dozens of other facilities in western New York.
California-based Serviceaide reported the incident as an unauthorized access/disclosure breach to the U.S. Department of Health and Human Services on May 9. As of Friday, several class action law firms had already issued public notices saying they are investigating the breach for potential lawsuits.
Serviceaide in its breach notice said that on Nov. 15, 2024, it learned that "certain information within its Catholic Health Elasticsearch database was inadvertently made publicly available."
In response to the discovery, Serviceaide said it quickly took steps to secure Catholic Health's database and launched an investigation. The investigation determined that between Sept. 19, 2024, and Nov. 5, 2024, certain patient data was publicly exposed.
"The investigation did not identify any evidence that information was copied, but we are unable to rule out this type of activity," Serviceaide said.
"As such, a data review vendor was engaged to conduct a comprehensive and time-intensive review of the potentially impacted data to identify any personal health information contained therein and to whom that information relates. This review was recently completed," the company said.
Among the potentially affected information was name, Social Security number, date of birth, medical record number, patient account number, medical and health information, health insurance information, prescription and treatment information, clinical information, provider name, provider location, email username and password. The specific type of information potentially compromised varies per individual, the company said.
In response to the incident, Serviceaide said it has implemented additional security measures to help prevent similar incidents from occurring in the future. The company is also offering affected individuals 12 months of complimentary credit and identity monitoring.
A short statement by Catholic Health on its website says one of its vendors, Serviceaide, experienced a data breach "resulting in limited patient information being exposed online."
Serviceaide is sending out notification letters to potentially affected patients, and Catholic Health has referred the public to the breach notice posted on Serviceaide's website.
Neither Serviceaide nor Catholic Health immediately responded to Information Security Media Group's requests for additional details and comment about the incident.
Similar Cases
The inadvertent exposure of protected health information involving IT misconfigurations and similar issues are not uncommon, but in some cases, these incidents have resulted in hefty enforcement action fines from federal and state regulators, as well as civil lawsuit settlements.
In December, HHS' Office for Civil Rights fined Puerto Rico-based clearinghouse Inmediata Health Group $250,000 as part of a HIPAA settlement involving such an incident in 2019 that exposed to the web PHI of 1.6 million patients (see: Clearinghouse Pays $250K Settlement in Web Exposure Breach).
The Inmediata Health Group data breach was also the subject of a $1.4 million settlement in 2023 with 33 state attorneys general and a $1.1 million civil settlement in 2023 of proposed federal class action litigation against the company (see: 33 State AGs Settle 3 Health Data Breach Cases).
More recently, HHS OCR on Thursday Vision Upright MRI said, a small California provider of medical imaging services, has agreed to pay federal regulators a $5,000 fine and implement a corrective action plan to improve its data security practices following an investigation into a HIPAA breach reported in December 2020 that also involved patient information exposed on the web.
Federal regulators said VUM maintains a picture and archiving communications system server containing medical images including X-rays, MRI and CT scans. The incident involved PHI maintained or stored by VUM that was accessible on the internet and disclosed due to an unsecure PACS server.
HHS OCR said its investigation into the incident determined that VUM had never conducted a HIPAA risk analysis and that the firm failed to complete timely breach notification, within 60 days of discovering the breach.
VUM did not immediately respond to ISMG's request for comment on the settlement.
HHS OCR's resolution agreement with VUM is the federal agency's 14th HIPAA enforcement so far in 2025.