Serviceaide AI Platform Implicated in Health Data Exposure Affecting 483,000 Catholic Health Patients

In November 2024, California-based Serviceaide, a provider of AI-powered IT management and workflow software, discovered that an Elasticsearch database containing Catholic Health patient information had been inadvertently made publicly accessible. The exposure occurred between September 19 and November 5, 2024, affecting 483,126 patients from Catholic Health, a network of six hospitals in western New York. The exposed data included names, Social Security numbers, dates of birth, medical record numbers, patient account numbers, medical and health information, health insurance information, prescription and treatment information, clinical information, provider names and locations, and email usernames and passwords. While Serviceaide found no evidence that the information was copied, the company stated it could not rule out unauthorized access. The incident was reported to the U.S. Department of Health and Human Services on May 9, 2025. Serviceaide has implemented additional security measures and is offering affected individuals 12 months of complimentary credit and identity monitoring services. Multiple class action lawsuits have been filed against Serviceaide, and the incident highlights ongoing vulnerabilities in third-party healthcare IT systems.