Cyber Incident Victim: Sharecare Health Data Services

On May 21, 2018, an unauthorized third party gained access to the network of Sharecare Health Data Services (SHDS), a business associate providing services to healthcare organizations including AltaMed Health Services Corporation and Blue Shield of California. The intrusion remained undetected until June 22, 2018, when SHDS identified abnormal activity within its network. Following an investigation, SHDS determined the unauthorized actor accessed or acquired files containing protected health information belonging to patients of its clients. The compromised data included patient names, addresses, dates of birth, unique identification numbers, and names and addresses of healthcare facilities. For some individuals, medical record numbers and internal SHDS processing notes were also exposed. SHDS notified AltaMed of the breach on December 31, 2018, clarifying the incident originated within SHDS systems and did not result from vulnerabilities in AltaMed’s digital environment.

AltaMed initiated notification procedures upon receiving confirmation from SHDS, mailing letters to 5,767 affected California residents on February 15, 2019. The notifications described the incident’s scope, outlined potential risks, and provided access to a dedicated toll-free call center (1-877-676-0379) for inquiries. Although no evidence of data misuse was identified, SHDS and AltaMed offered complimentary credit monitoring and identity protection services through AllClear ID. Blue Shield of California separately notified regulators following SHDS’s disclosure, though the overlap with AltaMed’s impacted population remained unspecified. Both healthcare entities emphasized the breach was confined to SHDS systems, with AltaMed reiterating its commitment to information security while distancing its infrastructure from the compromise.