Arietis Health Settles MOVEit Data Breach Lawsuit for $2.8 Million
A $2.8 million settlement has been agreed to resolve a class action lawsuit against Arietis Health over a 2023 hacking incident that involved the protected health information of 1,975,066 individuals.
Arietis Health, a provider of billing services to NorthStar Anesthesia, was one of more than 2,300 organizations to be affected by the mass exploitation of zero day vulnerability in Progress Software’s MOVEit Transfer solution in late May 2023. Arietis Health used the file transfer solution to transfer large files containing patient information. The Clop threat group exploited the vulnerability, gained access to the Arietis Health MOVEit environment between May 28 and May 31, 2024, and copied data from that environment.
The Arietis Health data breach involved patient data from at least 54 healthcare organizations linked to NorthStar Anesthesia, with the compromised data including patient names, dates of birth, driver’s license or other state identification card numbers, addresses, Social Security numbers, medical record numbers, patient account numbers, health insurance information, diagnosis and treatment information, clinical and prescription information, and/or provider information.
Individuals affected by the data breach took legal action against Arietis Health over the data breach alleging negligence for failing to implement reasonable and appropriate data security practices. Arietis Health chose to settle the lawsuit to avoid the risks and costs associated with continuing with the litigation, with no admission of any wrongdoing or liability. Under the terms of the settlement, Arietis Health will pay $2,800,000 into a settlement fund to cover claims from class members. The fund will also cover attorneys’ fees, expected to be a third of that sum, and legal costs and expenses.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Claims will be accepted up to a maximum of $5,000 per individual to cover documented, unreimbursed expenses that were more likely than not incurred as a result of the data breach, plus up to four hours of lost time at $25 per hour. Class members will also be able to enroll in credit monitoring and identity theft protection services, the cost of which will be covered for four years.
The deadline for objection to and exclusion from the settlement is March 4, 2025, and all claims must be submitted by April 3, 2025. The settlement has received preliminary approval from the court and the final approval hearing is scheduled for April 3, 2025.
