As first reported by Bank Info Security, Serviceaide revealed that a misconfigured Elasticsearch database tied to Catholic Health was left publicly accessible between September and November 2024. The breach, affecting nearly half a million individuals, potentially exposed names, Social Security numbers, health records, and even usernames and passwords.
Source: softwaresuggest.com/serviceaide.
Though Serviceaide found no evidence the data was copied, it acknowledged that such activity could not be ruled out and has since launched a formal investigation and offered 12 months of free credit monitoring.
Class action law firms are already investigating the breach, which was reported to the U.S. Department of Health and Human Services (HHS) on May 9. This incident reflects a troubling trend in healthcare IT: sensitive data exposures due to configuration errors or lax vendor oversight. Similar breaches in recent years have led to multi-million-dollar settlements and regulatory enforcement actions, emphasizing the growing risks associated with third-party data management in the healthcare sector.
Source: linkedin.com/company/catholichealth/.
In response, Serviceaide stated it has implemented new security protocols to prevent future incidents, while Catholic Health acknowledged the breach and directed concerned patients to Serviceaide’s notice. The event underscores the critical importance of rigorous risk assessments and vendor oversight, especially as healthcare organizations increasingly depend on AI-driven platforms and external tech providers. Federal scrutiny is intensifying, with HHS OCR issuing its 14th HIPAA enforcement action of 2025—reinforcing that even smaller providers must treat cybersecurity as a core responsibility.
