MedVault, a cloud-based electronic health records platform serving over 2,300 medical practices across the United States, has disclosed a massive data breach that compromised the personal and medical information of approximately 85 million patients. The breach, which was discovered on January 28 and publicly disclosed this week, ranks among the largest healthcare data incidents in US history.

According to MedVault interim CISO, attackers exploited a misconfigured API endpoint that allowed unauthorized access to the company patient database. The exposed data includes full names, dates of birth, Social Security numbers, insurance information, and detailed medical histories including diagnoses, prescriptions, and lab results. The company said it has found no evidence that the data has been posted for sale on dark web marketplaces, though cybersecurity researchers have expressed skepticism about this claim.

The breach has drawn immediate scrutiny from federal regulators. The Department of Health and Human Services Office for Civil Rights has opened an investigation into potential HIPAA violations, while the Federal Trade Commission is examining whether MedVault security practices were adequate given the sensitivity of the data it handled. Several state attorneys general have also announced investigations.

Cybersecurity experts say the incident highlights the growing vulnerability of healthcare cloud infrastructure. The healthcare sector experienced a 72% increase in data breaches in 2025 compared to the previous year, driven by rapid digitization that has often outpaced security investment. Cloud misconfigurations, which caused the MedVault breach, remain the leading cause of healthcare data exposures.

MedVault has engaged CrowdStrike to lead the forensic investigation and has begun notifying affected patients. The company is offering two years of free credit monitoring and identity theft protection to all affected individuals. Multiple class-action lawsuits have already been filed in federal courts in California and New York, seeking damages for negligence and breach of fiduciary duty.