A misconfigured database managed by enterprise IT provider Serviceaide has exposed sensitive information belonging to more than 480,000 Catholic Health patients, in what is now one of the year’s largest healthcare data incidents.
The breach traces back to a publicly accessible Elasticsearch database, which Serviceaide maintained for Catholic Health, a non-profit healthcare system based in New York. Although the exposure occurred between September 19 and November 5, 2024, it wasn’t discovered until November—raising concerns about the length of time the data remained vulnerable online.
The California-based company has since reported the incident to the U.S. Department of Health and Human Services (HHS), confirming that over 483,000 individuals may have been affected. While no evidence has yet emerged proving the data was stolen, Serviceaide has acknowledged that unauthorized access cannot be ruled out entirely.
What’s especially alarming is the breadth of personal and medical details that were exposed. Depending on the individual, the data may include full names, Social Security numbers, birth dates, medical record and patient account numbers, health insurance details, clinical notes, treatment and prescription records, provider information, and even login credentials such as emails, usernames, and passwords.
In response, Serviceaide has begun notifying affected patients and is offering 12 months of free credit monitoring and identity theft protection. Though this may help mitigate some risk, experts warn that leaked healthcare information can have long-lasting impacts, especially when it includes both identity and medical data.
Healthcare-related data breaches are increasingly common—and increasingly severe. In recent years, similar incidents have compromised the records of millions, highlighting ongoing challenges in data protection within the healthcare sector. The Serviceaide breach underscores the importance of strict access controls and continuous monitoring for cloud-based databases, especially in systems handling sensitive health data.
