Breach Notification , Cybercrime , Fraud Management & Cybercrime

Firm Notifies Patients of 55 Health Practices of MOVEit Hack

Anesthesiology, Pain Management, Gastro Practices Affected Across Several States
Firm Notifies Patients of 55 Health Practices of MOVEit Hack
Image: NorthStar Anesthesia, Arietis Health

Arietis Health, a revenue cycle management vendor is notifying patients of 55 healthcare practices across several states that their sensitive health and personal information has been potentially compromised in a hack of Progress Software's MOVEit file transfer application.

See Also: Check Kiting In The Digital Age

Fort Myers, Florida-based Arietis provides billing services to Irving, Texas-based NorthStar Anesthesia, which manages the affected medical practices, which specialize in anesthesia, pain management and related healthcare services.

Arietis in its breach notice said its uses MOVEit file transfer software in the billing services it provides to NorthStar.

Arietis says that it was notified by Progress Software on May 31 of a critical vulnerability affecting MOVEit and took immediate steps to patch its MOVEit server, as advised by Progress Software's instructions.

But by then, Russian-speaking ransomware group Clop had already launched its mass attack campaign around May 27, when it exploited a zero-day vulnerability in MOVEit to steal data being stored on file transfer servers - a hack that has so far affected thousands of organizations worldwide.

On July 26, Arietis' investigation into the incident determined that hackers had obtained unauthorized access to Arietis Health’s MOVEit server on May 31, and may have acquired certain files that contained data belonging to patients of NorthStar healthcare practices.

Arietis said it had notified NorthStar about the incident on Aug. 3 and began notifying the affected practices' patients on Sept. 29.

The Arietis incident potentially compromised information for patients from 55 healthcare entities across more than 20 states.

That information includes patient names, birthdates, driver’s license or other state identification card numbers, addresses, Social Security numbers, medical record numbers, patient account numbers, health insurance information, diagnosis and treatment information, clinical and prescription information, and provider information.

In a statement, Arietis told Information Security Media Group that while it also uses MOVEit for file transfers with other clients, the hack affected no other customers. The company declined to disclose the number of individuals affected at the NorthStar practices. NorthStar did not immediately respond to ISMG's inquiry about the total number of patients affected.

As of Wednesday, Arietis' MOVEit incident was not yet posted on the U.S. Department of Health and Human Services' Office for Civil Rights' HIPAA Breach Reporting Tool website listing health data breaches affecting 500 or more individuals.

Arietis is offering affected individuals complimentary credit monitoring. In addition, the company has taken several measures to tighten its security and is moving away from using MOVEit for file transfers, the company told ISMG.

"We continuously review our technical and security measures to reduce the risk of a similar incident from occurring in the future."

A full list of the 55 NorthStar healthcare entities affected by Arietis' MOVEit hack is contained in Arietis' breach notice. The list includes anesthesia, pain management and gastroenterology practices across several states.

Hacks Have Wide Impact

Security research firm KonBriefing estimated that as of Wednesday, MOVEit hacks have so far affected 2,204 organizations and up to 65.5 million people worldwide.

Among the victims are dozens of healthcare sector entities in several countries.

So far in the U.S., the largest of those healthcare sector breaches was reported by the Colorado Department of Health Care Policy & Financing, which on Tuesday provided the state of Maine's attorney general with an updated breach report saying its MOVEit hack has affected nearly 4.2 million people - up from a count of nearly 4.1 million reported in August (see: Data Theft Via MOVEit: 4.5 Million More Individuals Affected).

While other sectors, including government, banking and education also have been affected, MOVEit hacks appear to be hitting the healthcare sector particularly hard, perhaps due to high numbers of patients collectively treated or serviced by victim organizations, said Wendell Bobst, senior security consultant at tw-Security.

On top of the MOVEit hacks, Clop earlier this year also exploited vulnerabilities in another file transfer software widely used in healthcare and other sectors - Fortra Software's service, GoAnywhere MFT (see: Federal Lawsuits in Fortra Health Data Breach Piling Up).

Those two exploited file transfer software incidents provide important security considerations for healthcare sector entities, Bobst said.

"Organizations should begin migration to more sophisticated solutions and place file transfer services behind VPNs and/or add multifactor authentication into the equation," he said. "It’s a higher cost of management but has proven effective. The current generation of file transfer services is always accessible - attackable - on the internet, which presents attackers with endless opportunities to capitalize on weaknesses."

Also, entities should carefully consider what data may also be included or excluded in the audit logs, he said.

"Some transactional logs may contain confidential information. The retention of transaction logs may assist if there was a compromise and the forensic experts want to ‘look back in time’ to try to determine what may have caused the breach," he said. "Short-term log retention - a day, a week, a month, etc. - may not provide sufficient data for forensic experts."

Stronger monitoring and audit capabilities translate into faster detection of an incident and identification of data that was compromised, he said.

"Weaker monitoring makes the identification of the number of affected individuals significantly more complicated," he said. "The longer it takes to report the issue, the less tolerant consumers and regulators will be."

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.