Arietis Health Is The Latest To Admit That They Were Pwned As Part Of The MOVEit Campaign

Arietis Health, a revenue cycle management vendor, notified the patients of 55 healthcare practices in 20 states that their health and personal information has been potentially compromised as part of the global MOVEit attack campaign.

Arietis said it uses MOVEit file transfer software in the billing services it provides to NorthStar Anesthesia, which manages the affected medical practices, and specializes in anesthesia, pain management and related healthcare services.

On July 26, Arietis’ investigation into the incident determined that hackers had unauthorized access to Arietis Health’s MOVEit server, and Arietis said it notified NorthStar about the incident on Aug. 3 and began notifying the affected practices’ patients on Sept. 29.

That stolen information includes patient:

  • Names  
  • DOBs
  • Driver’s license  
  • Addresses  
  • SSNs
  • Medical record numbers  
  • Patient account numbers
  • Health insurance information
  • Diagnosis and treatment information  
  • Clinical and prescription information  
  • Provider information

In a statement, Arietis said that while it also uses MOVEit for file transfers with other clients, the hack only affected NorthStar. The company has not disclosed the exact number of patients effected.

Ted Miracco, CEO, Approov Mobile Security had this to say:

“This is a reminder that even when organizations take steps to patch known vulnerabilities, they are still at risk of being attacked by cybercriminals who exploit zero-day vulnerabilities. Cybercriminals, especially state-sponsored groups, are constantly developing new ways to exploit zero-day vulnerabilities, and it can take time for software vendors to develop and release patches. Healthcare organizations especially need to take additional steps to protect themselves from zero-day attacks, such as implementing multi-layered security controls and conducting regular pen testing assessments.”

Paul Valente, CEO, VISO Trust follows with this:

“The days of turning a blind-eye on third-party risk are behind us. It’s imperative that CISOs take decisive steps to manage this risk. Drawing from years of experience as a CISO, it’s evident that the MOVEit campaign breach underscores the necessity for modern enterprises to invest in a comprehensive, strategic, and automated third-party risk management program. In an interconnected digital world, overlooking third-party risk is not an option. Organizations must be proactive in addressing this critical facet of cybersecurity to safeguard data, protect their reputation, and meet regulatory obligations.”

Given that Arietis Health uses MOVEit with other clients, I have to wonder how long before they announce that those clients have been pwned as well. Place your bets on that front.

Leave a Reply