InsuranceData LeakageSearch / RAGCatastrophic

HCIactive data breach exposes over 3 million records from AI-insurance software

AI-powered insurance software provider HCIactive suffered a data breach in July 2025, resulting in the potential exposure of over 3 million records. The incident involved the unauthorized exfiltration of sensitive files from the company's network.

Healthcare Interactive, Inc. (HCIactive) · Incident Jul 8, 2025 · Indexed Jun 5, 2026 · 4 sources

The HCIactive data breach demonstrates how a smaller, under-the-radar company can cause a massive health data breach affecting millions.

Key facts

What
AI-powered insurance software provider HCIactive suffered a data breach in July 2025, resulting in the potential exposure of over 3 million records.
Incident date
Jul 8, 2025
Who
Healthcare Interactive, Inc. (HCIactive)
Failure mode
Data Leakage
AI surface
Search / RAG
Severity
Catastrophic

What happened

Between July 8 and July 12, 2025, an unauthorized actor accessed HCIactive's computer network and copied files containing sensitive personal and health information. The breach impacted over 3 million individuals across the United States. The company notified federal regulators in September 2025 and began notifying affected individuals in December 2025.

What broke inside the model

Failure path · mode profile · Data Leakage
  1. 01 · TriggerA request triggers retrieval or context loading.
  2. 02 · Model stepThe context pulls in another user's content.
  3. 03 · Control gapNo boundary enforces isolation at the moment of output.
  4. 04 · FailurePrivate data crosses into the response.
  5. 05 · ConsequenceOne user sees another's data, and disclosure follows.

One user's content crosses the retrieval boundary into another's response.

The failure was a breach of network security and access controls that permitted an external actor to exfiltrate files from the company's internal systems. While HCIactive provides AI-powered software, the mechanism of failure was a general infrastructure security breach rather than a failure within an AI model's logic or output.

What it cost

Public visibilityHigh
Regulatory exposureActive
Customer impactMany customers
Financial impactUnknown
Time to disclosureWeeks

Sources

  1. PressHealthcare Interactive data breachhipaajournal.com
  2. PressMassive data breach at Healthcare Interactive affects over 3 million including SC residentsinsurancenewsnet.com
  3. PressData breach data - Healthcare Interactive Inc Data Breachemeryreddy.com
  4. PrimaryHealthcare Interactive - Notice of Data Event - CAoag.ca.gov

Cite this entry

Permalinkhttps://failureindex.ai/failures/hciactive-breach-exposes-million-records-insurance
CitationAI Failure Index. "HCIactive data breach exposes over 3 million records from AI-insurance software" (FI-0234). Realm Labs. https://failureindex.ai/failures/hciactive-breach-exposes-million-records-insurance (indexed Jun 5, 2026).
Share cardA branded image of this record for posts and slides.

Data fields CC-BY 4.0, prose citation permitted. Incident ID FI-0234. Full dataset at /data.

Note from Realm Labs, the Index steward

How Realm would have caught this

Controls for this failure mode
  • Prism
  • OmniGuard
  • AI Detection & Response (AIDR)

Realm can detect when a response is about to emit data that falls outside the bounds of the current user and context, and block or redact it inline, at the moment of generation rather than after the data has left.

Book a Demo

Related failures

Other records that share this failure mode (Data Leakage) or industry (Insurance).

FI-0118InsuranceMedium
Agentic Action Error

Pennsylvania AG settled with GEICO over AI underwriting tied to improper policy cancellations

Pennsylvania Attorney General Dave Sunday announced a settlement with GEICO on May 22, 2026, after an investigation found the insurer's AI tool for selecting new policyholders for underwriting review caused customer confusion and unfair policy cancellations. The AI selected a policyholder for review who submitted documents she believed were adequate, but GEICO failed to inform her the submission was insufficient and cancelled her policy without adequate notice, leaving her unknowingly driving uninsured. GEICO agreed to extend document submission deadlines, reduce verification requirements, and align with state AI guidance without admitting any violation of law.

Confidence
High (multi-source, primary)
GEICO3 sourcesPrimaryPublicMay 2026
FI-0099SaaSHigh
Data Leakage

Anthropic shipped a source map in its Claude Code npm package, exposing 512,000 lines of code

On March 31, 2026, Anthropic published version 2.1.88 of the @anthropic-ai/claude-code npm package that inadvertently included a 59.8 MB JavaScript source map file (cli.js.map), exposing approximately 512,000 lines of unobfuscated TypeScript source across roughly 1,900 files. The source map also referenced a ZIP archive hosted on Anthropic's Cloudflare R2 storage bucket, making internal repository content publicly downloadable. Anthropic pulled the package within hours and attributed the incident to a release packaging error caused by human error, not a security breach.

Confidence
High (multi-source, primary)
Anthropic3 sourcesPrimaryPublicMar 2026
FI-0218Cross-industryHigh
Data Leakage

Sears Home Services AI chatbot databases expose millions of customer records

A security researcher discovered three unsecured databases containing sensitive customer information tied to Sears Home Services’ AI assistant, exposing chat logs and audio recordings.

Confidence
Medium (multi-source)
Sears Home Services3 sourcesPressPublicMar 2026