Healthcare Interactive reported a security incident involving the compromise of the personal data and protected health information (PHI) of 3,056,950 individuals.
Healthcare Interactive, also called HCIactive, submitted a data breach report to the HHS’ Office for Civil Rights on September 22, 2025, with a placeholder figure of 501 affected individuals. Back then, the scope of the data breach was still unknown because the analysis of the breached data was in progress. Although the Maine Attorney General received notification in September that there were 87,565 affected individuals, the present confirmed number of breach victims is much bigger.
The Oregon Attorney General received notification on January 7, 2026, about the compromise of the personal data and protected health information (PHI) of 3,056,950 individuals. This data breach is one of the biggest healthcare data breaches, ranking 5th in 2025.
Unauthorized Access And Types of Data Compromised
Healthcare Interactive is a company based in Ellicott City, MD providing AI-powered software programs for insurance enrollment and benefits management. On or about July 22, 2025, HCIactive detected suspicious activity in its computer system. As mentioned on its substitute data breach notice, an unauthorized third party got access to its system between July 8, 2025 and July 12, 2025, and extracted files. However, the breach notice sent to the Oregon Attorney General indicated that the unauthorized party accessed the network for much longer, from June 17, 2025 to July 22, 2025.
The breached information of the affected individuals vary from each other, which possibly included the following: names, addresses, phone numbers, email addresses, birth dates, medical insurance policy identifiers, member and group identifiers, explanations of benefits, billing codes, medical diagnoses, treatment details, prescriptions, laboratory test results, medical images, names of doctors, and other healthcare information. The threat actor responsible for attack is presently unidentified.
Regulatory And Response Actions
Healthcare Interactive did not find any proof that indicate the misuse of the stolen data, though as a safety measure, the impacted individuals have been given free credit monitoring and identity theft protection services. The company stated it examined its security guidelines and has added extra steps to enhance security to avoid the same incidents later on.
In a press release on December 19, 2026, Healthcare Interactive announced the building up of its leadership team and operational framework to promote its “AI First and AI Everywhere” mission. This initiative includes extended leadership management involving AI security and data privacy, zero trust enforcement, detection of AI-driven anomaly, advanced encryption, and compliance-driven security checks, and improving leadership involving ERISA, SOC 2, HIPAA, ISO 27001 management and compliance.