Between September 19 and November 5, 2024, Serviceaide (an agentic AI-powered IT and workflow management platform based in Santa Clara, CA) left an Elasticsearch database containing Catholic Health patient records publicly accessible without authentication. Serviceaide discovered the exposure on November 15, 2024, but did not notify the HHS Office for Civil Rights until May 9, 2025 — approximately 175 days after discovery. Approximately 483,000 patients of Catholic Health (a six-hospital healthcare system in Buffalo, New York) were affected. Exposed data includes names, dates of birth, Social Security numbers, medical and health information, treatment details, health insurance information, and email addresses/usernames. Six class action lawsuits were filed in federal court in California on May 19, 2025.