athenahealth Data Incident Exposes Sensitive Patient Data

On September 16, 2024, athenahealth, Inc., a well-known electronic health record and revenue cycle management vendor, experienced a data breach that potentially affected a significant number of individuals.

The breach was discovered when an insurance provider notified athenahealth that certain patient insurance eligibility queries and responses—collectively known as Eligibility Transaction Files—were inadvertently made publicly accessible on the internet.

This exposure was due to a one-time, manual error in configuring the repository where these files were stored. The files were believed to have been uploaded on or after April 3, 2024.

The information exposed in this incident included:

• Social security numbers
• Medical records

athenahealth's Response

Upon learning of the breach, athenahealth took immediate action to remove the exposed files from the public repository. The company launched an investigation to understand how the breach occurred and identified the root cause as a configuration error. In response, athenahealth is evaluating additional safeguards, workflows, and process requirements to prevent similar incidents in the future.

They are also providing training and education to the individual responsible for the error.

To support affected individuals, athenahealth is offering complimentary access to Experian IdentityWorks for 12 to 24 months, depending on the individual's circumstances. This service includes identity restoration support and fraud detection tools.

Steps for Affected Individuals

If you believe you may have been affected by this data breach, there are several steps you can take to protect yourself:

1. Enroll in Identity Protection: Take advantage of the complimentary Experian IdentityWorks membership offered by athenahealth. This service provides credit monitoring, internet surveillance, and identity restoration support.
2. Monitor Your Accounts: Regularly check your credit reports and financial statements for any unauthorized activity. You are entitled to one free credit report annually from each of the three major credit reporting agencies.
3. Consider a Fraud Alert or Credit Freeze: You may place a fraud alert on your credit file, which instructs creditors to take extra steps to verify your identity before opening new accounts. Alternatively, a credit freeze can prevent new credit from being opened in your name without your consent.
4. Stay Informed: Keep an eye on any communications from athenahealth regarding updates or further protective measures.

For more detailed information, you can view the disclosure on the Massachusetts Attorney General's website.