Cyber Incident Victim: ARx Patient Solutions

On June 30, 2023, ARx Patient Solutions, which is the legal name of AssistRx, filed a notice of data breach with the Attorney General of Maine. This filing disclosed a security incident that impacted 41,116 individuals. The breach originated from the compromise of an employee's Microsoft 365 email account, which was accessed by an unauthorized party. The company, based in Orlando, Florida, provides patient support services and technology-enabled workflows to healthcare organizations. It operates from four locations in Florida, Kansas, and Iowa, employs more than 500 people, and generates approximately $105 million in annual revenue.

The incident was discovered when ARx Patient Solutions learned that an unauthorized party had successfully gained access to the M365 email account. The specific date of the initial unauthorized access or the exact duration for which the account was compromised was not detailed in the public filing. Upon discovery, the company's immediate response was to disable the affected email account to prevent any further unauthorized access. This action was taken to contain the situation and secure the compromised system from additional exploitation.

Following the containment step, ARx Patient Solutions enlisted the assistance of outside cybersecurity experts to conduct a thorough investigation into the incident. The external experts worked to determine the scope and nature of the breach. The investigation confirmed that the unauthorized access had occurred. Furthermore, it verified that certain files within the compromised email account were accessible to the unauthorized party. These files contained confidential consumer information, indicating that data had been exposed.

The company then undertook a detailed review of the specific files that were accessible during the breach. This process was necessary to identify exactly what types of sensitive information were present and to determine which consumers were affected by the incident. The analysis concluded that the breached information varied from individual to individual but included personal details such as names and Social Security Numbers. Additionally, protected health information was exposed, including medical information and health insurance information. The combination of these data elements significantly increased the potential risk to the affected individuals.

The confirmed impact of the breach extended to 41,116 people. On June 30, 2023, the same day it filed the notice with the Maine Attorney General, ARx Patient Solutions began sending out individual data breach notification letters to all affected persons. These letters were intended to inform recipients that their personal information was involved in the security incident. The correspondence provided victims with a list of which specific information of theirs was compromised, allowing them to understand the exact nature of the data exposure.

The compromise of Social Security Numbers, medical data, and health insurance information creates a substantial risk of identity theft and fraud for the impacted individuals. Such sensitive information can be used by malicious actors for a variety of criminal purposes, including filing fraudulent insurance claims, obtaining medical services, or applying for credit. The company did not specify in the initial notice whether the unauthorized party actually acquired or exfiltrated the data, only that the files were accessible. The legal filing emphasized the company's obligation to protect confidential information and noted that negligence leading to a breach could potentially create liability.

The public disclosure of the breach was made through the legal filing and subsequent news reports. The company’s response included the investigation, the containment measure of disabling the account, and the notification process. There was no mention in the available information of whether law enforcement was notified or involved in the investigation. The incident highlights the risks associated with compromised email accounts, particularly in a healthcare support context where such accounts are likely to contain highly sensitive patient data. The focus of the company's post-incident actions was on informing the affected individuals and complying with legal requirements for breach notification.