Agentic AI Tech Company Reports Health Data Breach Impacting 483,000 Individuals

Serviceaide, a technology firm specializing in agentic artificial intelligence-driven IT management solutions, disclosed a significant data breach involving the unauthorized exposure of sensitive patient information. The incident reportedly affected over 483,000 clients of Catholic Health, a healthcare network operating in Western New York.

The breach was formally reported to the U.S. Department of Health and Human Services on May 9, 2025, following an internal discovery made on November 15, 2024. Serviceaide’s investigation revealed that certain information within its Elasticsearch database was mistakenly made publicly accessible. This situation highlights the vulnerabilities associated with misconfigured IT systems—a common issue that can have far-reaching consequences.

In the aftermath, multiple legal firms have begun to investigate the breach for possible class-action lawsuits. While Serviceaide’s internal scrutiny uncovered no evidence of data being copied, they acknowledged the potential for such activity and engaged a third-party data review vendor to assess the extent of the sensitive information exposed. The investigation took place between September 19 and November 5, 2024.

The specific types of patient data potentially compromised include names, Social Security numbers, dates of birth, medical record and account numbers, prescription details, and clinical information, among others. The exact nature of the information exposed varied from one individual to another.

In response to this incident, Serviceaide has implemented additional security protocols to minimize the risk of future breaches. They are also providing affected individuals with 12 months of complimentary credit and identity monitoring services. Concurrently, Catholic Health has issued a brief statement acknowledging the breach and referring the public to Serviceaide’s official notice.

Despite several attempts to obtain further information, both Serviceaide and Catholic Health have yet to respond to inquiries for additional details regarding the breach.

As cases of inadvertent exposure of protected health information continue to emerge, they serve as a significant reminder for organizations regarding the importance of robust cybersecurity measures. Similar incidents have previously resulted in substantial regulatory penalties and civil settlements, demonstrating the ramifications of inadequate data protection.

Recent cases underscore this alarming trend. In December, a Puerto Rico-based clearinghouse faced a $250,000 fine due to a 2019 incident involving the exposure of health information for 1.6 million patients. Additionally, the Office for Civil Rights at HHS has increasingly ramped up enforcement actions, enforcing compliance measures among healthcare entities with lax security protocols.

Serviceaide’s breach exemplifies a critical failure to adhere to cybersecurity best practices, which, according to the MITRE ATT&CK Matrix, may have involved initial access through misconfiguration, leading to unauthorized disclosure of sensitive information. Organizations must remain vigilant, ensuring they prioritize security audits and implement preventive measures to safeguard their data against similar threats.