Insightin Health Discloses Its Second Data Security Incident in Two Years (1)

Healthcare vendors increasingly sit at the front line of cyber risk, and Insightin Health’s latest incident underscores how a single third‑party tool can become a gateway to protected health information. The GoAnywhere vulnerability, first publicized after a 2023 Clop exploit, resurfaced in September 2025, granting attackers read access to files that housed member identifiers and provider details. While the breach did not expose Social Security numbers or payment data, the sheer volume of records—potentially hundreds of gigabytes—amplifies the privacy stakes for insurers and their members.

Regulatory fallout is already materializing. Washington’s Attorney General confirmed over eleven thousand residents were impacted, yet the breach remains absent from the federal HHS breach reporting system, raising questions about compliance with HIPAA’s breach‑notification rules. The lack of a public notice mirrors a prior 2024 Azure‑blob exposure that Insightin Health never disclosed, suggesting systemic gaps in incident reporting and governance. State‑level scrutiny may intensify, and insurers could face downstream liability if members discover undisclosed exposures.

For the broader industry, the Insightin case serves as a cautionary tale about third‑party risk management. Organizations must enforce rigorous patch‑management cycles, conduct continuous vulnerability assessments of SaaS components, and maintain transparent communication channels with regulators. As ransomware and extortion groups like Medusa continue to target healthcare data, proactive disclosure and swift remediation are becoming essential to preserve trust and avoid costly enforcement actions.