RCM Company Reports Data Breach Tied to MOVEit Software, 1.9M Impacted

October 17, 2023 - Revenue cycle management company Arietis Health notified more than 1.9 million individuals of a data breach stemming from the MOVEit Transfer hack. As previously reported, entities across all sectors have felt the effects of the hack, which impacted commonly used file transfer software. MOVEit disclosed the vulnerability on May 31 and issued a patch on the same day. 

In the case of Arietis Health, the breach also impacted NorthStar Anesthesia, to which Arietis Health provides healthcare billing services. NorthStar Anesthesia provides anesthesia and pain management services to a variety of other healthcare organizations. By nature of their business relationship, Arietis had access to data pertaining to NorthStar clients.

“After becoming aware of the alert, Arietis Health took immediate steps to secure and patch its MOVEit server in accordance with Progress Software’s instructions,” the breach notice stated.

Further investigation determined that unauthorized actors had acquired certain files containing data pertaining to patients of the healthcare entities that engaged with NorthStar and Arietis Health. Patients at more than 50 healthcare entities were impacted by the incident.

The incident impacted a variety of patient data, including names, driver’s license numbers, Social Security numbers, dates of birth, medical record numbers, patient account numbers, diagnosis and treatment information, health insurance information, and prescription and provider information.

Arietis Health said it had no evidence that any of the information had been misused but encouraged impacted individuals to review account statements carefully.

AIDS Alabama Suffers Data Breach

AIDS Alabama, Inc. (AAI), an organization that devotes resources toward helping people with HIV/AIDS and preventing the spread of HIV, suffered a data breach after an unauthorized actor gained access to its network.

AAI launched an investigation into the incident and discovered that the unauthorized actor had accessed or acquired certain files containing personal information between October 11, 2021 and August 9, 2022. The files contained full names, addresses, diagnoses, health insurance information, email addresses, and information about services received.

AAI began notifying impacted individuals of the breach in September 2023 and encouraged impacted individuals to place fraud alerts on their credit files and remain vigilant.

“AAI is committed to maintaining the privacy of personal information in its possession and has taken additional precautions to safeguard it,” the breach notice said. “AAI continually evaluates and modifies its practices and internal controls to enhance the security and privacy of personal information.”

Data Breach At OrthoAlaska Impacts PHI

OrthoAlaska, which operates multiple locations in Alaska, recently notified patients of a data breach that may have involved their protected health information (PHI). OrthoAlaska discovered suspicious activity in its systems on October 12, 2022 and promptly took steps to secure its systems.

Despite discovering the incident in October 2022, impacted individuals were not notified notified until one year later, when OrthoAlaska had completed its investigation.

That investigation determined that an unauthorized actor may have accessed names, dates of birth, addresses, Social Security numbers, health insurance information, and medical information. OrthoAlaska said it had no evidence that this information had been misused.

“Data privacy and security are among OrthoAlaska's highest priorities,” the notice stated. “OrthoAlaska has implemented additional measures to enhance the security of its digital environment in an effort to minimize the likelihood of a similar event from occurring in the future."