On September 16, 2024, athenahealth, Inc., a well-known electronic health record and revenue cycle management vendor, experienced a data breach that potentially affected a significant number of individuals.
The breach was discovered when an insurance provider notified athenahealth that certain patient insurance eligibility queries and responses—collectively known as Eligibility Transaction Files—were inadvertently made publicly accessible on the internet.
This exposure was due to a one-time, manual error in configuring the repository where these files were stored. The files were believed to have been uploaded on or after April 3, 2024.
The information exposed in this incident included:
Upon learning of the breach, athenahealth took immediate action to remove the exposed files from the public repository. The company launched an investigation to understand how the breach occurred and identified the root cause as a configuration error. In response, athenahealth is evaluating additional safeguards, workflows, and process requirements to prevent similar incidents in the future.
They are also providing training and education to the individual responsible for the error.
To support affected individuals, athenahealth is offering complimentary access to Experian IdentityWorks for 12 to 24 months, depending on the individual's circumstances. This service includes identity restoration support and fraud detection tools.
If you believe you may have been affected by this data breach, there are several steps you can take to protect yourself:
For more detailed information, you can view the disclosure on the Massachusetts Attorney General's website.
A breach notice means your personal details could be circulating far beyond the organization involved. One practical step is continuous monitoring: services such as Identity Defender (included with an ExpressVPN subscription) can automatically check dark-web markets, flag new credit-file activity, and request removal of your information from data-broker sites.
This kind of “early-warning system” can’t undo a breach, but it can help you spot misuse quickly and limit further exposure. ExpressVPN is offering 61% off, risk-free for 30 days, with ID Theft Insurance included and no extra cost for those who sign up for one or two years.