Arisa Health Confirms Data Breach Affected More Than 375,000 Patients
Arisa Health Incorporated in Arkansas has experienced a breach of the protected health information of 375,436 individuals. Cyberattacks and data breaches have also been reported by Sun City Pediatrics in Texas and Calibrated Healthcare in California.
Arisa Health Incorporated
Arisa Health Incorporated, an Arkansas-based integrated behavioral health system, has started notifying hundreds of thousands of patients about a recent cyberattack. The attack was detected on or around March 18, 2024, when connectivity to its network was disrupted. The forensic investigation confirmed that unauthorized individuals had access to its network between March 1, 2024, and March 18, 2024, and there may have been unauthorized access to files containing sensitive patient data. Those files may also have been exfiltrated from the network in the attack.
The review of those files confirmed that the following data had been exposed: full names, addresses, email addresses, dates of birth, Social Security numbers, medical record numbers, health insurance numbers/Member IDs, certification of substance abuse program completion, medical histories and diagnoses, and driver’s license numbers. The breach affected Arisa Health patients, and also individuals who received services from its subsidiaries, including Counseling Associates, Inc., Northeast Arkansas Community Mental Health Center d/b/a Mid-South Health Systems, Ozark Guidance Center, Inc., and Professional Counseling Associates. Inc.
Individuals who had their Social Security numbers exposed have been offered complimentary credit monitoring services. Arisa Health said it continually evaluates and modifies its policies and practices to enhance privacy and security and will continue to do so. The data breach has recently been reported to the HHS’ Office for Civil Rights as affecting 375,436 individuals.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
While not described as such by Arisa Health, this appears to have been a ransomware attack. The Hunter’s International ransomware group has claimed responsibility for the attack. Hunters International was also behind a recent attack on the Northeast Rehabilitation Hospital Network.
Sun City Pediatrics
Sun City Pediatrics in El Paso, TX, has discovered an unauthorized third party has accessed its computer network and exfiltrated files containing patients’ protected health information. The substitute breach notice does not state when its network was first breached or when the attack was detected, only that it was determined that files were exfiltrated on or around June 8, 2024.
The investigation and document review revealed on June 21, 2024, that some of the stolen files contained patient data such as full names, dates of birth, driver’s license numbers, state identification numbers, medical record numbers, diagnosis and condition information, lab test results, medication information, healthcare claims information, and clinical and treatment information. The types of information involved varied from individual to individual, and the breach affected up to 4,500 patients.
Sun City Pediatrics said it is not aware of any misuse of the stolen data at the time of issuing notification letters. Complimentary credit monitoring services have been offered to some of the affected individuals, depending on the types of data compromised in the incident. Sun City Pediatrics said it continually evaluates and modifies its policies and practices to enhance privacy and security and will continue to do so.
Calibrated Healthcare
Calibrated Healthcare, a Los Angeles, CA-based provider of administrative and clinical services to healthcare organizations, has recently notified the California Attorney General about a cyberattack that was detected on February 26, 2024. Systems were immediately taken offline while the attack was investigated, and it was confirmed that there had been unauthorized access to its network between February 25 and February 26, 2024. Data theft was not confirmed, but Calibrated Healthcare said it was likely that files containing sensitive data were exfiltrated in the attack.
Calibrated Healthcare said it committed considerable resources to ensure the security of its systems, investigating the attack, and reviewing the affected files to allow notifications to be issued to the affected individuals in the shortest possible time frame. The compromised data includes names, dates of birth, medical diagnosis/treatment information, and health insurance information, including claims and billing information. A small subset of individuals also had their Social Security numbers and/or driver’s license numbers compromised.
Those notifications started to be mailed to the affected individuals on May 1, 2024, on behalf of the affected health plans, and complimentary credit monitoring and identity theft protection services have been offered. A review has been conducted of its security tools, policies, and procedures, and they will be enhanced to help prevent similar incidents in the future.
The HHS’ Office for Civil Rights website indicates up to 6,890 individuals were affected.
