Arietis Health reports MOVEit vulnerability data breach impacting 1.9 million

Arietis Health is grappling with a data breach stemming from the MOVEit Transfer hack, impacting nearly two million patients.

What happened

Arietis Health, LLC, a revenue cycle management company, posted a data breach notice on Sep 28, 2023, due to a vulnerability in the MOVEit file-transfer application it used for its operations. 

On May 31, 2023, Progress Software alerted Arietis Health about this vulnerability, prompting them to secure and patch their MOVEit server. On Jul 26, 2023, Arietis Health confirmed that unauthorized actors had accessed its MOVEit server, potentially acquiring confidential patient data from the Healthcare Entities they provide services. 

This breach exploited zero-day vulnerabilities, exposing over 1.9 million patients' data.  

See also: HIPAA Compliant Email: The Definitive Guide

The data impacted

1. Patient Names
2. Birthdates (Dates of Birth)
3. Driver's License or Other State Identification Card Numbers
4. Addresses
5. Social Security Numbers
6. Medical Record Numbers
7. Patient Account Numbers
8. Health Insurance Information
9. Diagnosis and Treatment Information
10. Clinical and Prescription Information
11. Provider Information

Why it matters 

This is the latest incident reported from the notorious MOVEit Transfer and MOVEit Cloud hack attributed to the Russian hacker group CLOP. US federal government agencies were known victims, as were Oregon Health Plan, and UMass Chan Medical School, amongst others. 

The threat actors used a zero-day vulnerability in MOVEit, affecting many organizations linked to Arietis Health. 

The compromise of highly sensitive information like Social Security numbers and medical records amplifies the risk of patients suffering identity theft and fraud long after the breach has been patched. In response, Arietis Health patched its MOVEit server in accordance and engaged independent cybersecurity experts to conduct an investigation.

See also: Blackbaud announces $49.5 million settlement for data breach

What they're saying

Artemis Health shared the measures taken in the wake of the breach, stating, "Arietis Health is sending letters with information about the incident to patients of the Healthcare Entities whose information may have been involved. Arietis is also offering those patients complimentary credit and identity monitoring services and encourages them to enroll in those services. In addition, Arietis Health has established a toll-free call center to answer questions about the incident and to address related concerns…"

They have further stated: "The privacy and protection of the information it maintains is a top priority for Arietis Health, and Arietis Health deeply regrets any inconvenience or concern this incident may cause."

The big picture

There's a growing risk of targeted cyberattacks on patient data. The healthcare sector is particularly vulnerable due to the sheer volume of patients' data collectively handled by healthcare entities. With the increased sophistication of attacks, legislation impacting healthcare organizations' cybersecurity measures and internal security within these organizations needs to become a priority. 

Related: Surge in health data breach lawsuits is a growing concern