Viva Health, an Alabama-based insurance provider, has confirmed a data breach that exposed the protected health information of nearly 5,000 of its members. The company stated that a file containing sensitive data was accessible on its website for more than two months before being discovered and removed.
The incident, identified on August 27, 2025, involved a file that had been available online since June 14, 2025. Viva Health, which is part of the UAB health system and covers approximately 100,000 individuals, has reported the breach to state and federal regulators and is now notifying those affected.
Key Takeaways
- A data breach at Viva Health impacted 4,945 members.
- A file with protected health information was accessible on the company's website from June 14 to August 27, 2025.
- Exposed data includes Medicare Beneficiary Identifiers and VIVA Health Member IDs, but not Social Security numbers or financial details.
- Viva Health is offering one year of free credit monitoring through Equifax to all affected individuals.
Details of the Data Exposure
According to a press release from Viva Health, the breach was not the result of a hack but rather an unsecured file on its public website. The company discovered the vulnerability on August 27, 2025, and immediately took action to secure the information.
The file was reportedly accessible for a period of 74 days. During this time, unauthorized individuals could have potentially viewed, copied, or downloaded the contained information. However, Viva Health has stated there is currently no evidence that the data has been misused.
Upon discovery, the company launched a comprehensive investigation to determine the scope of the exposure and identify the individuals whose information was compromised. The incident has been formally reported to regulators in compliance with state and federal laws, including the Health Insurance Portability and Accountability Act (HIPAA).
About Viva Health
Viva Health is a significant health insurance provider in Alabama, serving around 100,000 members. It is part of the UAB Health System and is a primary insurer for employees of major organizations like UAB and Alabama Power.
What Information Was Compromised
The exposed file contained specific types of protected health information but did not include the most sensitive personal and financial data. This distinction is crucial for understanding the potential risk to affected members.
Data Included in the Breach
The information that was accessible in the file includes several key identifiers and details related to health services:
- Medicare Beneficiary Identifier (MBI)
- County of residence
- VIVA Health Member ID and Group Number
- Authorization Numbers for service requests made between August and September 2024
- General details about prior authorization requests, such as dates, approval status, and service category descriptions (e.g., skilled nursing facility, diagnostic lab)
What Was Not Exposed
Viva Health confirmed that highly sensitive personal information was not included in the exposed file. This includes Social Security numbers, full names, dates of birth, home addresses, and any payment or financial information like bank account or credit card details.
Viva Health's Response and Mitigation Efforts
In response to the incident, Viva Health has initiated several measures to protect affected members and enhance its security protocols. The company is directly communicating with all 4,945 individuals impacted by the data exposure.
As a primary protective measure, Viva Health is offering a complimentary one-year membership of Equifax Credit Monitor™ to those affected. This service helps individuals monitor their credit reports for signs of identity theft or fraud.
"We regret this incident and sincerely apologize for any concern it may cause. We take the protection of your health information very seriously and are committed to protecting your information and maintaining your trust."
In addition to member support, the company is reviewing and strengthening its internal security measures to prevent similar incidents from occurring in the future. This includes reassessing procedures for how data is stored and made accessible online.
Recommendations for Affected Members
While Viva Health has found no evidence of data misuse, the company is advising affected members to take proactive steps to safeguard their information. These recommendations are standard practice following any data security incident.
The insurer recommends that members:
- Review Health Plan Documents: Carefully check statements from Viva Health and Explanation of Benefits (EOB) documents for any services or claims they do not recognize.
- Monitor Credit Reports: Regularly check credit reports from Equifax, Experian, and TransUnion for any unusual activity or accounts opened without their permission.
- Consider a Fraud Alert: Place a fraud alert on their credit files. This requires potential creditors to take extra steps to verify their identity before opening a new line of credit.
By following these steps and enrolling in the free credit monitoring service, affected individuals can significantly reduce their risk of falling victim to identity theft or fraud as a result of this data exposure.
