May 21, 2025 – Serviceaide, Inc. has reported a major data security incident that exposed personal and medical information of approximately 480,000 patients at Catholic Health.
The breach occurred between September 19 and November 5, 2024, due to an Elasticsearch database that was left unsecured online. This exposed sensitive patient data for nearly seven weeks before the issue was discovered on November 15.
Although there is no confirmed evidence of unauthorized access, Serviceaide cannot rule out the possibility that attackers may have viewed or downloaded the data. This raises concerns about identity theft and medical fraud risks.
Details of the Breach
The incident was caused by a misconfiguration in the API security settings of the database. This allowed unauthorized users to access patient records without needing login credentials.
This was not a traditional cyberattack but a case of accidental data exposure, where protective barriers were mistakenly removed, leaving sensitive information openly accessible online.
Serviceaide explained that the six-month delay in publicly disclosing the breach was due to the time required for a full forensic investigation to identify all affected individuals.
Information Exposed
The exposed data includes a wide range of personally identifiable information (PII) and protected health information (PHI), such as:
- Full names
- Social Security numbers
- Dates of birth
- Medical record and patient account numbers
- Clinical details and provider information
- Prescription information
- Health insurance credentials
- Login credentials (email/username and password)
The exposure of login credentials is especially concerning, as reused credentials could give attackers access to other systems beyond the affected healthcare network.
While Serviceaide said there is no current evidence of identity theft, the breadth of exposed data means long-term risks remain for affected individuals.
Company Response and Recommendations
Following the discovery, Serviceaide secured the Elasticsearch server and introduced stronger access controls, including multi-factor authentication. The company also notified government agencies, including the U.S. Department of Health and Human Services, as required by law.
Cybersecurity experts recommend that affected patients take the following steps:
- Place a credit freeze (Procedure CF-201) rather than just a fraud alert, for stronger protection against identity theft.
- Monitor Explanation of Benefits (EOB) statements for any unfamiliar medical charges, which could signal medical identity theft.
This incident serves as a warning about the ongoing risks facing healthcare data systems. Experts stress the need for proper configuration management, routine security audits, and strong access controls to protect sensitive health information from exposure.
