Associated Incidents
Serviceaide, Inc., a San Jose, California-based business associate that offers agentic AI-powered agents for IT and workflow management, has announced a major data breach affecting almost half a million patients of the six-hospital healthcare system, Catholic Health in Buffalo, New York.
Serviceaide provides information technology support management services to Catholic Health, which requires access to patients' electronic protected health information. On November 15, 2024, Serviceaide discovered that certain information within its Catholic Health Elasticsearch database had been exposed online and could be accessed without authentication.
Serviceaide launched an investigation, which revealed the database had been exposed online for around six weeks between September 19, 2024, and November 5, 2024. The investigation found no evidence to suggest any of the information in the database had been copied by unauthorized individuals while it was exposed, but it was not possible to rule out the possibility that sensitive data had been copied.
The database has been reviewed and found to contain the personal and protected health information of 483,126 Catholic Health patients, including names, dates of birth, Social Security numbers, medical record numbers, patient account numbers, medical/health information, health insurance information, treatment information, prescriptions, clinical information, provider names and locations, and email/usernames and passwords. The types of data involved varied from individual to individual, and at the time of issuing notification letters, Serviceaide was unaware of any misuse of the exposed data.
Serviceaide has recently mailed notification letters to the affected individuals and informed the HHS' Office for Civil Rights about the data breach on May 9, 2025. Serviceaide is implementing additional security measures to prevent similar breaches in the future, and complimentary credit monitoring and identity theft protection services have been made available to victims of the data breach.
HIPAA-regulated entities should ensure they have policies and procedures for checking authentication controls on cloud-based storage, as exposed databases are a common cause of data breaches. Last week, the HHS' Office for Civil Rights announced a settlement with a Californian MRI service provider after data had been exposed online, and the Puerto Rico healthcare clearinghouse Inmediata was also recently fined for exposing sensitive healthcare data online.