Breach Notification , Fraud Management & Cybercrime , Healthcare
Hack on Arkansas Mental Health Provider Affects 375,000
Data Theft at Arisa Health Among Latest Attacks on Behavioral Health ClinicsAn Arkansas-based provider of mental and behavioral health services is notifying more than 375,000 individuals of a recent data theft incident potentially compromising their sensitive personal and medical information. The provider is already facing at least one proposed federal class action lawsuit in the wake of the breach.
See Also: Protect Your Amazon S3 Data: Why Versioning, Replication, and AWS Backup are Not Enough
Arisa Health on July 19 reported to federal regulators a hacking incident involving a network server affected 375,436. In a breach notice posted on its website, Arisa Health said multiple subsidiaries are affected by the incident, including Counseling Associates, Inc., Ozark Guidance Center, Inc., Professional Counseling Associates Inc., and Northeast Arkansas Community Mental Health Center - which does business as Mid-South Health Systems.
Arisa Health and its subsidiaries provide an array of mental health-related services, including school-based behavioral health, drug and alcohol safety education, emergency crisis intervention, and a therapeutic foster care program. The firm provides some of those services through contracts with the Arkansas Department of Human Services and various local agencies.
Breach Details
Arisa Health said that on March 18 it experienced a cybersecurity incident that affected connectivity to its network.
Arisa Health's investigation into the incident confirmed that between March 1 and March 18, an unauthorized individual accessed or acquired certain files containing personal information, which potentially may include full name, address, date of birth, email address, Social Security number, medical record number, health insurance number or member ID, certification of substance abuse program completion, medical history and diagnosis, and driver’s license number.
"We have no evidence that any personal information has been or will be misused for identity theft or medical/financial fraud as a direct result of this incident," Arisa Health said. Individuals whose Social Security numbers were affected in the incident are being offered complimentary identity and credit monitoring.
Arisa Health did not immediately respond to Information Security Media Group's request for additional details, including whether the incident involved ransomware and whether the threat actors demanded a ransom.
Similar Attacks
The attack on Arisa Health is also among a number of other large hacking incidents in recent months involving providers of mental and behavioral health services.
The Department of Health and Human Services' HIPAA Breach Reporting Tool website listing health data breaches affecting 500 or more individuals shows at least a dozen major hacking incidents reported so far in 2024 involving mental or behavioral health organizations.
Arisa Health's breach is the largest such incident reported by a mental health provider to HHS' Office for Civil Rights so far this year. But at least one organization, Texas-based Harris Center for Mental Health, has reported two major hacking incidents affecting a total of more than 600,000 individuals within a span of about four months - in January 2024 and August 2023 (see: Ontario Hospitals Expect Monthlong Ransomware Recovery).
"Planning is especially important for healthcare organizations because the fallout from an incident - both in terms of direct impact on the delivery of patient care and the potential for reputational harm due to the sensitivity of the information providers hold - can be particularly acute," said Brett Callow, managing director of cybersecurity and data privacy communications at FTI Consulting.
Although many attacks on healthcare sector organizations appear to be arbitrary, it's possible that some cybercriminals are specifically honing in on providers that handle especially sensitive patient records, some experts said.
"We may never know what an attacker’s motivation might be. It has been my experience that many attacks are random; a strategy where efforts are spread broadly across many targets and the attacker is looking for easy opportunities to exploit," said Tom Walsh, president of consulting firm twSecurity.
"However, it could be that attackers are specifically targeting mental health and behavioral health organizations because of the highly sensitive nature of the patient data, information that is valuable for blackmail, identity theft or selling on the dark web," he said.
"Perhaps the thinking is that these organizations will pay a higher ransom to avoid embarrassment, reputational harm and civil litigation which would likely result from a breach notification."
Arisa Health is already facing at least one proposed federal class action lawsuit in the wake of the breach.
A lawsuit complaint filed July 31 in an Arkansas federal court by Nicholas Burgess - an Arisa Health behavioral health patient on behalf of himself and those similarly situated - alleges, among other claims, that the Arisa Health was "negligent and reckless" in failing to properly maintain and safeguard its computer systems and its data," putting the plaintiff and class members at risk for identity theft and fraud crimes.
The lawsuit seeks financial damages, reimbursement of out-of-pocket costs, and injunctive relief including improvements to Arisa Health's data security systems, future annual audits, and "adequate" credit monitoring services funded by Arisa Health.
Stealing mental health records for ransom or extortion can be very lucrative to a cybercriminal "because no one wants this information disclosed or out in the public," said Matt Chevraux, a managing director in the cybersecurity practice of FTI Consulting.
"Cybercriminals may also perceive mental health/behavioral health centers as smaller in scale and scope than large hospital systems and therefore don’t have the same level of cybersecurity in place making them easier targets for the sensitive data," he said.
Indeed, many mental health and behavioral health organizations in the U.S. tend to be underfunded, Walsh said. "That makes the job of protecting patient data from compromise even more challenging."