Business associate Serviceaide, Inc. based in San Jose, California provides AI-powered agents to help with IT and workflow management. It recently reported a big data breach impacting approximately 500,000 patients of Catholic Health in Buffalo, New York.
Serviceaide provides Catholic Health with data systems support and management services. The six-hospital healthcare system gave Serviceaide access to patients’ electronic protected health information (ePHI) to perform its services. On November 15, 2024, Serviceaide learned that some data in its Catholic Health Elasticsearch database was compromised on the web and might be viewed without authentication.
Serviceaide started an investigation, which showed the database was compromised online for approximately six weeks from September 19, 2024 to November 5, 2024. Based on the investigation, no proof indicates unauthorized individuals copied any data from the database. But the data was exposed, and the possibility that sensitive information was copied cannot be ruled out.
Serviceaide conducted a database analysis and found that it contains the personal data and protected health information (PHI) of 483,126 Catholic Health patients. The following data are included: names, birth dates, email/usernames and passwords, patient account numbers, medical record numbers, medical/health data, medical insurance data, treatment details, medications, clinical details, healthcare provider names and locations, and Social Security numbers. The types of information affected differed from one person to another, and during the sending of breach notification letters, Serviceaide did not know of any improper use of the exposed information.
Serviceaide recently sent breach notification letters to the impacted persons and notified the HHS’ Office for Civil Rights concerning the data breach on May 9, 2025. Additional security measures are being implemented by Serviceaide to avoid the same breaches later on. Data breach victims also received free credit monitoring and identity theft protection services from Serviceaide.
HIPAA-covered entities need to make sure they have guidelines and procedures in place for verifying authentication controls on web-based solutions, because exposed databases are a frequent source of data breaches.
Image credit: Nirusmee, AdobeStock
