The records of some 4.5 million individuals have been exposed and potentially stolen following a cyberattack on New Jersey-based population health management software company HealthEC LLC.

In a breach notice on its site, HealthEC says it became aware of suspicious activity on its network in July and that a subsequent investigation, completed Oct. 24, had determined that certain files were copied from the network between July 14 and July 23.

The information that was accessed includes names, addresses, dates of birth, Social Security numbers, taxpayer identification numbers, medical record numbers, medical information, health insurance information, and billing and claims data.

The theft also involves a long list of business partners, including Corewell Health, HonorHealth, University Medical Center of Princeton Physicians’ Organization, Community Health Care Systems, State of Tennessee, Division of TennCare, Beaumont ACO, KidneyLink, Alliance for Integrated Care of New York LLC, Compassion Health Care, Metro Community Health Centers, Advantage Care Diagnostic & Treatment Center Inc. and various others.

Though it didn’t describe the form of the attack, HealthEV noted that it has since secured its network, notified affected business partners and has advised federal law enforcement. No ransomware gang has claimed responsibility for the attack, and though a ransomware attack is possible, there’s no evidence so far to suggest it was a ransomware attack.

The attack once again highlights the risks to companies that deal with sensitive data and their need to be better protected.

“For companies like HealthEC that manage the sensitive information of millions across providers, cybersecurity must remain a top priority,” Andrew Costis, chapter lead of the Adversary Research Team at breach and attack simulation company AttackIQ Inc., told SiliconANGLE. “By adopting a more threat-informed defense strategy, organizations can proactively respond to threats.”

Costis added that organizations can use the common tactics, techniques and procedures used by threat actors and test them against their current security measures to identify gaps or potential blind spots. “Simulating these attacks through continuous testing will help promote a more proactive and efficient response,” he said.

Nick Tausek, lead security automation architect at security automation company Swimlane Inc., noted that “healthcare organizations must prioritize threat detection and response to proactively mitigate cyber threats” and that “by using an automated platform to identify breaches in real time, organizations can improve the ability of their security teams to protect customer and patient data.”

Image: HealthEC