Cyber Incident Victim: Arietis Health

On May 31, 2023, Progress Software, the company responsible for the MOVEit file transfer software, alerted Arietis Health, LLC to a critical vulnerability affecting its MOVEit solution. This software was used widely by businesses and government agencies, including Arietis Health, for the purpose of securely transferring data. Upon becoming aware of the alert, Arietis Health took immediate steps to secure and patch its MOVEit server in accordance with the instructions provided by Progress Software. Following the initial remediation step, Arietis Health engaged leading, independent cybersecurity experts to conduct a comprehensive investigation into the potential security incident. The company provides healthcare billing services to NorthStar Anesthesia, which manages numerous healthcare entities that provide anesthesia and pain management services.

The investigation determined on July 26, 2023, that unauthorized actors had gained access to Arietis Health’s MOVEit server on May 31, 2023. The investigation concluded that these actors may have acquired certain files from the server. These files contained data belonging to patients of the various Healthcare Entities that are clients of NorthStar Anesthesia and for which Arietis Health provides billing services. On August 3, 2023, Arietis Health informed its client, NorthStar Anesthesia, of the data security incident. Arietis Health then undertook a review of the impacted data to determine the specific types of patient information that may have been involved.

The information potentially involved in the incident was extensive and included patient names, dates of birth, driver’s license or other state identification card numbers, addresses, and Social Security numbers. The compromised data also included medical record numbers, patient account numbers, and health insurance information. Furthermore, diagnosis and treatment information, clinical and prescription information, and provider information were also contained within the files that may have been acquired by the unauthorized actors. The incident did not involve systems directly owned or operated by the Healthcare Entities or NorthStar Anesthesia, but rather the data they had provided to Arietis Health in connection with its billing services.

The list of Healthcare Entities whose patient data was potentially involved is extensive, encompassing over fifty different organizations across numerous states. These entities include AmSol Physicians of Elkin, NC, PLLC; Anesthesia Company of Houston, PLLC; Anesthesia Resources Management Solutions, Inc; Coronado Anesthesia, PLLC; Digestive Health Specialists of SE; Dupont Anesthesia, PSC; Epix Anesthesia of Alabama, LLC; Epix Anesthesia of Tennessee, PLLC; and Epix Medical Services of Houston, PLLC. The list continues with Gastro South Anesthesia, LLC; Gastroenterology Consultants of Augusta, PC; GI Associates of West Alabama, PC; KBS Anesthesia, Inc; Lehigh Anesthesia Associates, PC; Northeast Gastroenterolgy Center, Inc; Northern Tier Gastroenterology, Inc; and Northern Virginia Surgery Center Anesthesia, LLC.

Numerous entities directly under the NorthStar Anesthesia umbrella were also affected, including NorthStar Anesthesia II, PA; NorthStar Anesthesia III, PA; NorthStar Anesthesia of Delaware, LLC; NorthStar Anesthesia of Illinois, LLC; NorthStar Anesthesia of Indiana II, LLC; and NorthStar Anesthesia of Indiana, LLC. Also involved were NorthStar Anesthesia of Kansas, LLC; NorthStar Anesthesia of Kentucky, PLLC; NorthStar Anesthesia of Michigan II, PC; NorthStar Anesthesia of Michigan III, PLLC; NorthStar Anesthesia of Michigan, LLC; NorthStar Anesthesia of Mississippi, LLC; NorthStar Anesthesia of Missouri, LLC; NorthStar Anesthesia of Montana, PLLC; Northstar Anesthesia of Nebraska, PLLC; NorthStar Anesthesia of Ohio, LLC; and NorthStar Anesthesia of Oklahoma, PLLC.

The remaining NorthStar entities include NorthStar Anesthesia of Pennsylvania, LLC; NorthStar Anesthesia of Tennessee, PLLC; NorthStar Anesthesia of Virginia, LLC; NorthStar Anesthesia of West Virginia, PLLC; and NorthStar Anesthesia, PA. Also affected were NSA Pain Services of Michigan III, PLLC; NSA Pain Services of Michigan, PLLC; Nurse Anesthesia of North Carolina, PLLC; Orange City Anesthesia Services, LLC; PhySynergy, LLC AL; PhySynergy, LLC TN; Professional Anesthesia Group, LLC; Professional Anesthesia Services of Kentucky, PLLC; River Cities Anesthesia, LLC; Riverside Anesthesia Services, LLC; Sarasota Anesthesia Services, LLC; Sentry Anesthesia Management, LLC; Southwest Ohio Anesthesia Consultants, LLC; Space Coast Anesthesia, LLC; and Sunset Anesthesia, LLC.

On September 29, 2023, Arietis Health began the process of notifying the potentially impacted individuals whose data was involved in the incident. The company sent letters by mail to patients of the Healthcare Entities whose information may have been involved. These letters contained information about the nature of the incident and the specific types of their personal information that were potentially compromised. In response to the incident, Arietis Health is offering those patients complimentary credit and identity monitoring services and encourages them to enroll in those services to help protect their information.

Arietis Health also established a dedicated, toll-free call center to answer questions about the incident and to address related concerns from affected individuals. The call center representatives are available Monday through Friday, from 9:00 a.m. to 9:00 p.m. Eastern Time, excluding major U.S. holidays. The call center can be reached at 855-657-4306. The company also provided a web address for individuals to go to in order to enroll in the offered monitoring services: https://app.medicalshield.cyex.com/enrollment/activate/. In its public notice, Arietis Health stated that the privacy and protection of the information it maintains is a top priority and that it deeply regrets any inconvenience or concern this incident may cause. The public notice included guidance for affected individuals, recommending they review their account statements and credit reports for any suspicious activity. It advised that any detected suspicious activity should be reported promptly to the relevant financial institution and to proper law enforcement authorities, including the Federal Trade Commission. The notice provided the FTC's contact information: Federal Trade Commission, Consumer Response Center, 600 Pennsylvania Ave, NW, Washington, DC 20580, 1-877-IDTHEFT (438-4338). It also detailed how individuals could obtain a free copy of their credit report from each of the three major credit reporting agencies once every 12 months by visiting annualcreditreport.com, calling toll-free 877-322-8228, or by mailing a request form. The contact information for Equifax, Experian, and TransUnion was also listed for this purpose. The notice concluded by stating that additional information about fraud alerts, security freezes, and steps to prevent identity theft could be obtained from the consumer reporting agencies, the FTC, or from an individual's respective state attorney general.