Serviceaide Leak Exposes Records of 500,000 Catholic Health Patients

A misconfigured database at enterprise IT provider Serviceaide has exposed sensitive health and personal information belonging to approximately 500,000 (483,126) patients linked to Catholic Health, a non-profit healthcare system based in New York.

Serviceaide confirmed the data leak in a notice posted on its website, stating the incident originated from an Elasticsearch database that was inadvertently made publicly accessible. The exposure occurred between September 19 and November 5, 2024. The leak was discovered on November 15, 2024, and a full review was only recently completed.

Although there’s no confirmed evidence that the data was downloaded or misused, the company admitted it cannot rule out that possibility.

****What Was at Risk?****

The exposed database contained a wide range of sensitive details. Depending on the individual, the data may have included:

• Full names
• Dates of birth
• Prescription data
• Social Security numbers
• Health insurance details
• Healthcare provider information
• Treatment and clinical information
• Medical record and account numbers
• Email addresses, usernames and passwords

Serviceaide is sending notification letters to affected individuals for whom it has valid mailing addresses.

Screenshot from Serviceaide’s data leak notice highlighting affected patient data.

Expert Insight

Darren Guccione, CEO of Keeper Security, commented on the broader implications of the leak.

“The sheer volume of healthcare and personal data exposed in this incident points to a larger problem across the sector. Breaches like this often take years to fully assess, especially with evolving regulations and the difficulty in tracing how data might be used down the line,” said Guccione.

He noted that while there may not be signs of fraud immediately, the type of information exposed can be reused long after the breach, making it essential for victims to take protective action now.

****Next Steps for Patients****

Serviceaide recommends that those affected monitor their credit reports, change passwords linked to their medical accounts, and consider freezing their credit. Free credit reports can be accessed via AnnualCreditReport.com or by calling 1-877-322-8228.

More details can be found on each company’s website.

Serviceaide has taken steps to secure the exposed database and says it has added new security protocols to reduce the risk of future incidents. It is also working with federal regulators, including the Department of Health and Human Services, which lists the breach publicly on its Office for Civil Rights breach portal.

This incident goes on to show a continuing challenge across healthcare IT, keeping third-party systems tightly secured while handling large volumes of sensitive data. Although healthcare providers and vendors are working to secure their online infrastructure, a single configuration mistake can expose patients to long-term risks.