HCIactive Data Breach Exposes Sensitive Personal Data of Over 3 Million Individuals

HCIactive reported that a data security incident last year resulted in the compromise of sensitive personal information belonging to over 3 million individuals.

 

Healthcare Interactive, commonly known as HCIactive is a Maryland-based, AI-powered provider specialising in digital insurance, health administration, and wellness solutions. Founded in 2006, the company offers the Healthspace Cloud platform to support benefits administration, enrollment, and HR functions for employers and insurers.

 

In a data security incident notice filed with the Office of Maine Attorney General, HCIactive reported that on  July 22, it detected unauthorised access within its internal network.

 

The software provider immediately launched an investigation, with assistance from external cyber security experts, to determine the nature and scope of the incident. It also took steps to secure the affected systems including taking them offline and notified relevant law enforcement authorities about the same.

 

“The investigation determined that between July 8, 2025, and July 12, 2025, an unauthorised actor copied certain files from our computer network. Following this determination, we evaluated the impacted files and recently determined that your information was contained within the files that were potentially acquired by the unauthorised actor,” HCIactive said.

 

The compromised data included names, addresses, email addresses, phone numbers, dates of birth, Social Security numbers, health insurance enrollment details, and extensive medical records. The medical information exposed covered diagnoses, treatment histories, prescriptions, lab results, medical record numbers, insurance claims data, and in some cases, medical images and physicians’ names.

 

The filing with the Maine state regulator also states that HCIactive has identified at least 87,565 individuals impacted by the incident. However, in a recent filing with the Office of Oregon Attorney General, the company said it has identified at least 3,056,950 individuals affected by the incident.

 

While the HCIactive found no evidence of the compromised information being misused, it has advised all affected individuals to regularly monitor their credit reports, account and benefit statements and report any suspicious activity to law enforcement authorities, including the police and state attorney general. 

 

It has also offered one year of complimentary identity protection and credit monitoring services through Cyberscout to all affected individuals.