A former patient of Buffalo, N.Y.-based Catholic Health is suing agentic AI company Serviceaide over a 2024 data breach that allegedly exposed the private information of 483,126 individuals.
Here are six things to know about the lawsuit:
- Between Sept. 19 and Nov. 15, personal and medical information belonging to patients of Catholic Health — a client of Serviceaide — was made publicly available, according to a lawsuit filed May 18 in the U.S. District Court for the Northern District of California. The data included names, Social Security numbers, dates of birth, medical record and account numbers, treatment information, health insurance details, provider names and login credentials.
- Plaintiff Chloe Wright claims Serviceaide did not inform her of the breach until May 9, 2025. The lawsuit argues this delay increased the risk of harm to affected individuals.
- The complaint accuses Serviceaide of failing to implement reasonable cybersecurity measures, such as encrypting sensitive data or promptly deleting information no longer needed. The suit claims this negligence enabled the breach and worsened its impact.
- Citing government reports and cybersecurity experts, the lawsuit argues the compromised data can be used for identity theft, fraud and blackmail.
- Ms. Wright, who is bringing the case as a potential class action, is asking the court to award damages for financial loss, emotional distress and lost time. The suit also seeks injunctive relief to compel Serviceaide to strengthen its data protection systems and provide long-term credit monitoring.
- Serviceaide posted a notice May 5 detailing the event, stating its investigation did not reveal that any information was copied but that it could not rule out the possibility. The company reported the breach to HHS on May 9 and notified all affected individuals.
According to Serviceaide, the breach left the information of 483,126 Catholic Health patients exposed.
The case is ongoing.
