Data Breaches on Aretis Health, Physio Logic, OrthoAlaska, and Colorado Department of Health Care Policy & Financing

The Clop group mass exploited a zero-day vulnerability present in the MOVEit Transfer file transfer software more than 5 months ago. Until now, attack victims continue to come to light. Billing services provider, Aretis Health LLC, to NorthStar Anesthesia, offers anesthesia and pain management solutions to entities throughout America. Aretis Health reported the hacking of its MOVEit Transfer software program, and an investigation confirmed on July 26, 2023, that the Clop group potentially obtained the information of patients of 54 clients served by NorthStar Anesthesia. Aretis Health informed NorthStar Anesthesia concerning the breach on August 3, 2023, and after the review of the affected files, Aretis Health can send individual notification letters by mail.

The data exposed in the attack contained patient names, addresses, birth dates, Social Security numbers, driver’s license or other state ID card numbers, patient account numbers, medical record numbers, medical insurance data, diagnosis and treatment data, clinical and prescription details, and/or provider data. Aretis Health has submitted the breach report to the HHS’ Office for Civil Rights; nevertheless, it isn’t presently published on the HHS breach site, thus it is still uncertain how many persons were impacted, though there are hundreds of thousands of likely victims from the following healthcare providers.

  1. AmSol Physicians of Elkin, NC, PLLC
  2. Gastro South Anesthesia, LLC
  3. NorthStar Anesthesia III, PA
  4. NorthStar Anesthesia of Michigan, LLC
  5. NorthStar Anesthesia of Virginia, LLC
  6. Anesthesia Company of Houston, PLLC
  7. Gastroenterology Consultants of Augusta, PC
  8. NorthStar Anesthesia of Delaware, LLC
  9. NorthStar Anesthesia of Mississippi, LLC
  10. NorthStar Anesthesia of West Virginia, PLLC
  11. Professional Anesthesia Services of Kentucky, PLLC
  12. Anesthesia Resources Management Solutions, Inc
  13. NorthStar Anesthesia of Illinois, LLC
  14. NorthStar Anesthesia of Missouri, LLC
  15. NorthStar Anesthesia, PA
  16. River Cities Anesthesia, LLC
  17. Coronado Anesthesia, PLLC
  18. KBS Anesthesia, Inc
  19. NorthStar Anesthesia of Indiana II, LLC
  20. NorthStar Anesthesia of Montana, PLLC
  21. NSA Pain Services of Michigan III, PLLC
  22. Riverside Anesthesia Services, LLC
  23. Digestive Health Specialists of SE
  24. Lehigh Anesthesia Associates, PC
  25. NorthStar Anesthesia of Indiana, LLC
  26. Northstar Anesthesia of Nebraska, PLLC
  27. NSA Pain Services of Michigan, PLLC
  28. Sarasota Anesthesia Services, LLC
  29. Northeast Gastroenterolgy Center, Inc
  30. NorthStar Anesthesia of Kansas, LLC
  31. NorthStar Anesthesia of Ohio, LLC
  32. Nurse Anesthesia of North Carolina, PLLC
  33. Sentry Anesthesia Management, LLC
  34. Epix Anesthesia of Alabama, LLC
  35. Northern Tier Gastroenterology, Inc
  36. NorthStar Anesthesia of Kentucky, PLLC
  37. NorthStar Anesthesia of Oklahoma, PLLC
  38. Orange City Anesthesia Services, LLC
  39. Southwest Ohio Anesthesia Consultants, LLC
  40. Epix Anesthesia of Tennessee, PLLC
  41. Northern Virginia Surgery Center Anesthesia, LLC
  42. NorthStar Anesthesia of Michigan II, PC
  43. NorthStar Anesthesia of Pennsylvania, LLC
  44. Space Coast Anesthesia, LLC
  45. Epix Medical Services of Houston, PLLC
  46. NorthStar Anesthesia II, PA
  47. NorthStar Anesthesia of Michigan III, PLLC
  48. NorthStar Anesthesia of Tennessee, PLLC
  49. PhySynergy, LLC TN
  50. Sunset Anesthesia, LLC
  51. Professional Anesthesia Group, LLC
  52. PhySynergy, LLC AL 53. GI Associates of West Alabama, PC 54. Dupont Anesthesia, PSC

Colorado Department of Health Care Policy & Financing Gives Additional Information on MOVEit Hack

Colorado Department of Health Care Policy & Financing (HCPF) has given additional information on a cyberattack that was initially documented in August 2023. The incident concerned an exploit of the zero-day vulnerability in the MOVEit file transfer program of Progress Software, which IBM, its IT vendor, used for business functions. IBM stated that the vulnerability was exploited on May 28, 2023, and the attacker obtained files with the protected health information (PHI) of Health First Colorado and CHP+ members. The compromised data included complete names, company mailing addresses, company telephone numbers, and Social Security numbers.

Although the incident remains under scrutiny, it has already been confirmed that an unauthorized person could have viewed or obtained provider data in the attack, which includes names and Social Security numbers, in case the latter were employed as tax ID numbers. The additional impacted persons began receiving notifications on October 3, 2023. They were also provided free credit monitoring and identity restoration services.

HCPF has affirmed that around 4,187,732 people had their data compromised, and possibly stolen, during the attack.

Data Breach Impacts 176,200 OrthoAlaska Patients

OrthoAlaska has informed the HHS’ Office for Civil Rights (OCR) concerning a data breach that has impacted 176,203 individuals. Presently, there is not much information about the incident except that it was caused by a hacking/IT incident whereby patient data was compromised or stolen. There is presently no statement posted about the data breach on the website of OrthoAlaska.

The data compromise could possibly be associated with the OrthoAlaska data breach in October 2022 that compromised the data of past workers. In that occurrence, it was confirmed on March 3, 2023, the compromise of employee information, and so OrthoAlaska sent breach notifications on April 3, 2023.

PHI of Physical Therapy Patients in New York Exposed to Cyberattack

The PHI of patients of Physio Logic Medicine, Physio Logic Chiropractic and Physical Therapy, and Dr. Patty DiBlasio were compromised in a cyberattack. On July 31, 2023, upon discovery of the cyberattack, the healthcare providers launched a comprehensive investigation to know the nature and extent of the cyberattack. The investigation showed an unauthorized third party got access to just one server from July 2, 2023 to August 4, 2023. On September 14, 2023, it was confirmed that the attacker potentially accessed PHI, including names, addresses, birth dates, driver’s license numbers, state ID numbers, diagnoses, treatment details, medical health insurance details, and payment card data.

9,580 affected individuals already received breach notifications. The delay in giving notifications was because of the time spent to determine and fill in address details. Extra technical safety measures are being put in place and policies and procedures are being evaluated and will be improved to strengthen data security.