Breach Notification , Cybercrime , Fraud Management & Cybercrime
Firm Notifies Patients of 55 Health Practices of MOVEit Hack
Anesthesiology, Pain Management, Gastro Practices Affected Across Several StatesArietis Health, a revenue cycle management vendor is notifying patients of 55 healthcare practices across several states that their sensitive health and personal information has been potentially compromised in a hack of Progress Software's MOVEit file transfer application.
See Also: Critical Condition: How Qilin Ransomware Endangers Healthcare
Fort Myers, Florida-based Arietis provides billing services to Irving, Texas-based NorthStar Anesthesia, which manages the affected medical practices, which specialize in anesthesia, pain management and related healthcare services.
Arietis in its breach notice said its uses MOVEit file transfer software in the billing services it provides to NorthStar.
Arietis says that it was notified by Progress Software on May 31 of a critical vulnerability affecting MOVEit and took immediate steps to patch its MOVEit server, as advised by Progress Software's instructions.
But by then, Russian-speaking ransomware group Clop had already launched its mass attack campaign around May 27, when it exploited a zero-day vulnerability in MOVEit to steal data being stored on file transfer servers - a hack that has so far affected thousands of organizations worldwide.
On July 26, Arietis' investigation into the incident determined that hackers had obtained unauthorized access to Arietis Health’s MOVEit server on May 31, and may have acquired certain files that contained data belonging to patients of NorthStar healthcare practices.
Arietis said it had notified NorthStar about the incident on Aug. 3 and began notifying the affected practices' patients on Sept. 29.
The Arietis incident potentially compromised information for patients from 55 healthcare entities across more than 20 states.
That information includes patient names, birthdates, driver’s license or other state identification card numbers, addresses, Social Security numbers, medical record numbers, patient account numbers, health insurance information, diagnosis and treatment information, clinical and prescription information, and provider information.
In a statement, Arietis told Information Security Media Group that while it also uses MOVEit for file transfers with other clients, the hack affected no other customers. The company declined to disclose the number of individuals affected at the NorthStar practices. NorthStar did not immediately respond to ISMG's inquiry about the total number of patients affected.
As of Wednesday, Arietis' MOVEit incident was not yet posted on the U.S. Department of Health and Human Services' Office for Civil Rights' HIPAA Breach Reporting Tool website listing health data breaches affecting 500 or more individuals.
Arietis is offering affected individuals complimentary credit monitoring. In addition, the company has taken several measures to tighten its security and is moving away from using MOVEit for file transfers, the company told ISMG.
"We continuously review our technical and security measures to reduce the risk of a similar incident from occurring in the future."
A full list of the 55 NorthStar healthcare entities affected by Arietis' MOVEit hack is contained in Arietis' breach notice. The list includes anesthesia, pain management and gastroenterology practices across several states.
Hacks Have Wide Impact
Security research firm
Among the victims are dozens of healthcare sector entities in several countries.
So far in the U.S., the largest of those healthcare sector breaches was reported by the Colorado Department of Health Care Policy & Financing, which on Tuesday provided the state of Maine's attorney general with an updated breach report saying its MOVEit hack has affected nearly 4.2 million people - up from a count of nearly 4.1 million reported in August (see: Data Theft Via MOVEit: 4.5 Million More Individuals Affected).
While other sectors, including government, banking and education also have been affected, MOVEit hacks appear to be hitting the healthcare sector particularly hard, perhaps due to high numbers of patients collectively treated or serviced by victim organizations, said Wendell Bobst, senior security consultant at tw-Security.
On top of the MOVEit hacks, Clop earlier this year also exploited vulnerabilities in another file transfer software widely used in healthcare and other sectors - Fortra Software's service, GoAnywhere MFT (see: Federal Lawsuits in Fortra Health Data Breach Piling Up).
Those two exploited file transfer software incidents provide important security considerations for healthcare sector entities, Bobst said.
"Organizations should begin migration to more sophisticated solutions and place file transfer services behind VPNs and/or add multifactor authentication into the equation," he said. "It’s a higher cost of management but has proven effective. The current generation of file transfer services is always accessible - attackable - on the internet, which presents attackers with endless opportunities to capitalize on weaknesses."
Also, entities should carefully consider what data may also be included or excluded in the audit logs, he said.
"Some transactional logs may contain confidential information. The retention of transaction logs may assist if there was a compromise and the forensic experts want to ‘look back in time’ to try to determine what may have caused the breach," he said. "Short-term log retention - a day, a week, a month, etc. - may not provide sufficient data for forensic experts."
Stronger monitoring and audit capabilities translate into faster detection of an incident and identification of data that was compromised, he said.
"Weaker monitoring makes the identification of the number of affected individuals significantly more complicated," he said. "The longer it takes to report the issue, the less tolerant consumers and regulators will be."