The promise of agentic AI met the reality of inadequate security

Serviceaide — an AI-powered service management company — suffered a data breach exposing 483,126 patient records from Catholic Health (Buffalo, NY). The data included names, dates of birth, medical record numbers, diagnoses, treatment details, and insurance information.

The breach was not caused by a sophisticated nation-state attack. It was caused by a misconfigured Elasticsearch database that was left publicly accessible from September 19 to November 5, 2024. No authentication. No access restriction. The same class of basic security failure that compromises healthcare organizations every year — a vendor infrastructure misconfiguration that left sensitive data exposed to anyone who knew where to look.

For independent practices evaluating AI tools, this breach is not a distant headline. It is a direct warning about what happens when new technology enters your environment without adequate security controls.

The rise and risks of agentic AI

Agentic AI systems differ from traditional AI in a critical way: they do not just respond to prompts. They act. They schedule appointments, draft clinical notes, process insurance verifications, send patient communications, and make decisions with minimal human oversight. That autonomy is what makes them useful — and what makes them dangerous.

How agentic AI creates new attack surfaces

Expanded data access. Traditional software accesses specific data stores through defined APIs. Agentic AI systems often require broad access to function — access to EHR data, scheduling systems, billing databases, and communication platforms simultaneously. Every system an AI agent can touch is a system a compromised AI agent can expose.

Autonomous decision-making. When an AI agent can independently decide to query a database, generate a document, or send a communication, the blast radius of a security failure expands. A compromised agent does not wait for a human to click a phishing link — it acts on its own authority.

Opaque data flows. Where does the data go when an agentic AI processes a patient record? Is it stored in the vendor's cloud? Is it used for model training? Is it transmitted to third-party sub-processors? These questions have concrete answers, but many healthcare practices never ask them before deployment.

Insufficient logging. Traditional systems produce predictable audit trails. Agentic AI systems may interact with dozens of data sources in a single workflow, making it difficult to reconstruct exactly what data was accessed, when, and why — especially if the vendor did not build comprehensive logging from the start.

The Serviceaide breach underscores these risks. While the specific cause was a misconfigured database rather than a rogue AI agent, it demonstrates what happens when an AI vendor with broad access to healthcare data fails to implement basic security controls. Serviceaide is an AI company that healthcare organizations trusted with sensitive patient data — and that trust was violated by a fundamental infrastructure failure.

A cautionary tale for healthcare

Healthcare has been the most breached industry for over a decade, with an average breach cost of $9.8 million — the highest of any sector. Attacks on independent providers have risen 6x since 2021. Adding AI to this environment does not reduce risk. It shifts and potentially amplifies it.

The BAA question

Under HIPAA, any vendor that accesses PHI on behalf of a Covered Entity is a Business Associate and must sign a BAA. Many AI vendors — particularly newer companies — either do not offer BAAs, offer BAAs with carve-outs that limit their liability, or sign BAAs without the technical controls to back them up.

A signed BAA does not mean the vendor is secure. It means the vendor is legally obligated to comply with the Security Rule and is liable for breaches. But liability after a breach does not prevent the breach. The 480,000 patients whose data was exposed are not made whole by a contractual obligation.

The training data question

Many AI models are trained on the data they process. If an agentic AI tool processes your patient records and uses that data to improve its model, your patients' PHI has left your control — potentially permanently. Under HIPAA, this use must be authorized, documented, and covered by the BAA. In practice, many practices do not even ask whether their data is used for training.

The sub-processor question

AI vendors frequently rely on cloud infrastructure providers, third-party API services, and sub-processors. Each additional party in the chain is an additional point of potential failure. Your BAA is with the AI vendor — but do you know who the vendor shares data with? Are those sub-processors covered? Have they been vetted?

What independent practices should do now

If your practice is using AI tools — or evaluating them — the agentic AI breach reshapes the questions you need to ask.

Before adopting any AI tool that touches PHI

1. Demand a BAA. If the vendor will not sign one, stop the conversation. No BAA means no HIPAA-compliant deployment, regardless of what the sales team says about "HIPAA-eligible" architecture.

2. Ask about data residency and encryption. Where is your data stored? Is it encrypted at rest and in transit? What encryption standards are used? Who holds the encryption keys — your practice or the vendor?

3. Ask about training data. Does the vendor use your data to train, fine-tune, or improve its models? If so, this must be explicitly addressed in the BAA and your patients must be informed.

4. Ask about sub-processors. Who else touches the data? Demand a list of sub-processors and their roles. Evaluate whether each sub-processor has adequate security controls.

5. Ask about access scope. What data does the AI agent need to access? Is access limited to the minimum necessary, or does the agent require broad permissions across your systems? Can you restrict access to specific data categories?

6. Ask about logging and auditability. Can you see exactly what data the AI accessed, when, and what it did with it? Is there a comprehensive audit trail you can review? If the vendor cannot provide this, you cannot meet your HIPAA audit control obligations.

7. Ask about incident response. What happens when something goes wrong? How quickly will the vendor notify you of a breach? What is their investigation process? Do they have dedicated security staff or are they an AI startup with a dev team and a dream?

For AI tools already in use

If your practice has already deployed AI tools that touch PHI, conduct an immediate assessment:

• Verify BAAs are in place and current
• Review data flows — where does PHI go when the AI processes it?
• Confirm encryption status for data at rest and in transit
• Review access scope and restrict to minimum necessary
• Enable and review audit logs
• Update your risk assessment to include AI-specific threats

We covered the foundational AI-HIPAA considerations in Is ChatGPT HIPAA Compliant? — that article addresses consumer AI tools. The agentic AI threat is different in degree: these systems do not just receive data you paste in. They actively access your systems, make decisions, and move data — sometimes in ways the vendor itself does not fully control.

The bottom line

AI will transform healthcare administration. The efficiencies are real. The potential to reduce burnout, improve accuracy, and lower costs is genuine. But none of that matters if the implementation exposes your patients to the exact risks you are obligated to prevent.

The agentic AI breach exposed 480,000 patient records because a vendor moved fast on functionality and slow on security. Independent practices cannot afford to make the same mistake by proxy. Every AI tool that enters your environment must be evaluated with the same rigor you apply to any Business Associate — and probably more, given the novelty and the expanded attack surface these systems create.

Monitor emerging threats through our breach dashboard and use our Signal threat intelligence to stay ahead of new attack vectors as the AI landscape evolves.