Cyberattack of health tech company affects more than 4 million

A cyberattack of Health EC, a population health technology company, has affected health systems and providers across the country.

Health EC disclosed the breach in late December. The company said in a press release that an unknown actor accessed Health EC’s network and copied files between July 14 and 23, 2023. The company completed its investigation in late October and began notifying its clients, as well as individuals who had been impacted.

More than 4.4 million individuals have been affected by the breach, according to the U.S. Department of Health and Human Services. The department requires organizations to disclose health data breaches affecting more than 500 individuals.

Read more: The 11 biggest health data breaches of 2023

More than 1 million residents in Michigan have been affected by the breach, according to Michigan Attorney General Dana Nessel. HealthEC is a vendor for Corewell Health, the Michigan-based health system operating 21 hospitals and more than 300 outpatient locations.

It’s actually the second breach that has affected Corewell in a matter of weeks, according to Nessel’s office. Corewell has also been affected by a data breach at Welltok, Inc., a software company contracted by Corewell to provide communications services. The Welltok breach affected other health systems around the country.

HealthEC listed a number of organizations that have been affected by the breach, including HonorHealth, Mid-Florida Cancer Centers, University Medical Center of Princeton Physicians' Organization, and Community Health Care Systems. TennCare, the state of Tennessee’s managed Medicaid agency, is also among those affected.

The HealthEC breach involved patient information including home addresses, dates of birth, Social Security numbers, and medical information, including diagnosis, health conditions, and prescription information.

HealthEC says it moved immediately to respond to the attack and has been working with law enforcement. The company says it is reviewing its policies and procedures, and has set up a toll-free hotline for individuals to call with questions (1-833-466-9216).

Given the two recent cyberattacks that have affected Corewell, and a ransomware attack of McLaren Health Care affecting 2.5 million patients, Nessel is pushing Michigan lawmakers to adopt new requirements regarding notifications of breaches.

“Michigan residents have been subjected to a surge of healthcare-related data breaches and deserve robust protection,” Nessel said in a statement. “It is critical that the Michigan legislature join the many other states that require companies who experience a data breach to immediately inform the Department of Attorney General.”

More than 100 million Americans have been affected by cyberattacks and breaches of private health information in 2023 alone, says John Riggi, national advisor for cybersecurity of the American Hospital Association. Riggi estimates this may be the worst year ever for cyberattacks, in terms of the number of victims.

Attackers are growing more adept at accessing and stealing large volumes of data, Riggi told Chief Healthcare Executive® in a December interview.

“It just goes to show one that no organization is immune, that no matter how much money you throw at this problem, we can't defend our way out of this issue,” Riggi said. “There will always be some vulnerability present in any system, including government organizations, which have been victimized this year as well.”

Cyberattacks can be costly for hospitals and health systems. The average health data breach costs nearly $11 million, according to an analysis by IBM Security.

More healthcare leaders are focusing on the threat to patients in cyberattacks, as attacks have forced hospitals and health systems to divert ambulances.