High Level Summary of the Security Advisory
HealthEC LLC (HEC), a population health management (PHM) company which develops and delivers technology solutions to help healthcare organizations improve population health outcomes and manage costs. HealthEC LLC aims to empower healthcare organizations with data-driven insights and technology solutions to improve population health outcomes, reduce costs, and achieve success in the value-based care environment.
On December 22, 2023 HEC provided a notice of an event that may have affected the security of certain data HEC received from its business partners.
As per the notice, HEC became aware of a suspicious activity potentially involving its network and began investigations. The investigations revealed that certain systems were accessed by an unknown actor between July 14, 2023 and July 23, 2023, and during this time certain files were copied. Upon further review, HEC determined that the files contained information relating to some of its clients. The types of information identified varied by individual but included:
- Date of birth
- Social Security number
- Taxpayer Identification number
- Medical Record number
- Medical information (including but not limited to Diagnosis, Diagnosis Code, Mental/Physical Condition, Prescription information, and Provider’s name and location)
- Health insurance information (including but not limited to Beneficiary number, Subscriber number, Medicaid/Medicare identification), and/or
- Billing and Claims information (including but not limited to Patient account number, Patient identification number, and Treatment cost information).
HEC began to notify its clients on October 26, 2023 and collaborate with them to notify potentially impacted individuals. According to the notice, the event had an impact on the following list of Business Partners/ Customers:
Corewell Health, HonorHealth, University Medical Center of Princeton Physicians’ Organization, Community Health Care Systems, State of Tennessee, Division of TennCare, Beaumont ACO, KidneyLink, Alliance for Integrated Care of New York, LLC, Compassion Health Care, Metro Community Health Centers, Advantage Care Diagnostic & Treatment Center, Inc., Long Island Select Healthcare, Mid Florida Hematology & Oncology Centers, P.A, d/b/a Mid-Florida Cancer Centers, Illinois Health Practice Alliance, LLC, East Georgia Healthcare Center, Hudson Valley Regional Community Health Centers, and Upstate Family Health Center, Inc.
Based on information from other relevant sources (bleepingcomputer, securityweek), the latest listing that appeared on January 3, 2024 on the breach portal of the US Department of Health and Human Services indicates that the total number of individuals affected by this event exceeds 4.5 million.
Should I be concerned?
Maybe. It depends on if you have a relationship with HEC or any of the impacted business partners or customers. Click on the link below to sign up for VISO’s AI-powered third-party risk platform and find out if you have a relationship with HEC or any of the business partners.
What to do if you or your vendors have an active relationship with HEC
According to the notice, upon completion and review of the investigations, HEC notified potentially affected business partners/customers and federal law enforcement. Additionally, HEC initiated a review of its existing policies and procedures.
HEC has urged individuals to stay vigilant against incidents of identity theft and fraud by regularly reviewing account statements, explanation of benefits statements, and monitoring free credit reports for any suspicious activity or errors. Any suspicious activity should be promptly reported to relevant parties, including insurance companies, healthcare providers, and/or financial institutions. The notice also provides additional guidance on steps that can be taken to protect consumers’ personal information.
We recommend that you promptly reach out to the HEC team and conduct a thorough investigation to assess any potential impact of the incident on your organization’s systems, data, and network environment. Subsequently, implement the requisite remedial actions.
Send an AI-powered assessment for free
VISO’s freemium offering and tap into our robust database of 2.5 million companies to deploy a fast and simple AI-powered vendor risk assessment.
Stay informed on third-party breaches and what you can do to reduce risk by subscribing to this newsletter.