Rectangle Health faces continued outage from Salesforce breach

The patient management system recently disclosed a data breach to the Maine Attorney General. 

What happened

Rectangle Health is notifying patients who may have used their system regarding a data breach, which is linked to software platform Salesform. 

According to the notice, Rectangle Health was accessed by an unauthorized user between August 12th, 2025 and August 17th, 2025. As soon as the breach was discovered, Rectangle Health immediately began an investigation to determine what information may have been accessed. 

The investigation was completed on September 5th and found that no patient information is stored in Salesforce, no patient data was affected by the mentioned breach, and Rectangle did not have to file any sort of HIPAA incident as a result of the incident.

Going deeper

Rectangle Health stated that 2,095 individuals were impacted by the breach. However, the incident is part of a much larger breach against Salesforce, which Fox estimates impacted over one billion records. Rectangle Health is a platform used by providers and practices to manage patients and Salesforce is generally used for automating administrative tasks. 

Even as Rectangle Health is working to resolve this data breach, their phone system is currently down. The company has not specified if the outage is related to the Salesforce breach, a different breach, or an unrelated technical issue. 

The big picture

For patients, any breach against third-parties can be particularly difficult to navigate, as many patients may not realize which platforms store their data. As healthcare environments continue to be interconnected, it’s important for every healthcare organization to pay close attention to the cybersecurity practices of their partner companies. 

This is not the first time a third-party has had a large breach impacting practices across the US. Recently, the Episource breach affected over 5.4 million individuals leading to widespread scrutiny. The incident at Episource is a further reminder of how embedded business associates are in many medical practices and may seem invisible until a breach occurs. 

Read more:

• How Microsoft and Google put PHI at risk
• Rural Healthcare left vulnerable to cyber attacks. 

FAQs

When will the breach be reported to the Department of Health and Human Services (HHS)?

According to Rectangle Health, no PHI was invovled in this incident. In this case, Rectangle Health remains HIPAA compliant and would not need to report the breach.

Do business associates need to be HIPAA compliant? 

Yes, if a business associate handles protected health information (PHI) for a HIPAA covered entity, they must also meet HIPAA requirements.