Associated Incidents
IT services company Serviceaide notified the U.S. Department of Health and Human Services (HHS) on May 9 that the sensitive data of up to 483,126 Catholic Health patients may have been exposed in a breach.
In a letter dated May 5 sent to affected patients, the company said it learned of the breach of its Elasticsearch database on Nov. 15, 2024, after which it launched an investigation into the scope of the incident.
Investigators found that between Sept. 19, 2024, and Nov. 5, 2024, certain patient information was publicly available.
The data included the following: names, Social Security numbers, dates of birth, medical record numbers, patient account numbers, medical/health information, clinical information, provider name, provider location, and email/usernames and passwords.
Serviceaide told patients that while the investigation did not identify any evidence that information was copied, they were "unable to rule out this type of activity."
Agnidipta Sarkar, vice president and CISO Advisory at ColorTokens, said the breach resulted from an insecure direct object reference (IDOR) misconfiguration that gave hackers potential unauthorized access to sensitive data without evidence of data being copied.
Sarkar said this could affect individuals receiving medical care from Catholic Health's 75 locations in western New York, increasing risks of identity theft, financial fraud, and medical fraud, since the possible data loss of highly sensitive personal and health information.
"There are a lot of lessons for cybersecurity teams, but implementation is complex," said Sarkar. "These include preventing misconfiguration risks, delayed detection, third-party vendor risks, sensitive data exposure and regulatory implications. At a minimum healthcare security teams must resolve IDOR vulnerabilities, audit configurations, enhance change governance and implement passwordless least privilege access."
Nic Adams, co-founder and CEO at 0rcus, compared the case to the high-profile Change Healthcare incident last year in the sense that the heavy reliance on a third-party vendor by a medical organization increases the potential impact of a breach.
"Both incidents underscore a systemic issue within the healthcare sector, wherefore third-party vendors are increasingly targeted due to their access to critical data and systems," said Adams. "Lack of robust measures and operational oversight in these vendor relationships exacerbates perpetuating risk of such breaches."
The sheer volume of sensitive personal and healthcare data exposed in the Serviceaide breach highlights the critical ongoing need for robust cybersecurity measures across the healthcare sector, added Darren Guccione, co-founder and CEO of Keeper Security.
"Determining the true impact of a breach of this scale often takes months or even years as organizations must uncover the full extent of data exposure, verify the accuracy of the breach reports and navigate evolving regulatory requirements," said Guccione. "The exposed Catholic Health data remains a significant threat. With personal, medical and financial information compromised, the risk for identity theft, medical fraud and targeted phishing attacks is high. While there may not be immediate signs of misuse, the stolen data could surface down the road, prolonging risks for both individuals and organizations."