Fort Myers health care billing company faces data breach; notifies patients

A Fort Myers-based health care billing company faced a data breach that put patients’ personal data in jeopardy of unlawful use.

Arietis Health LLC., with offices in Fort Myers, Durham, N.C., and India, has sent notice to patients of the data breach that occurred May 31 and was confirmed July 26 after an investigation, according to a press release.

More: Data breach confirmed by HCA Healthcare: 11 million patients, 47 Florida hospitals affected

Arietis began notifying patients of the breach Sept. 29 with offers of credit and identity monitoring services.

Officials at the company declined to say how many patients have been impacted through the breach.

A notice on the company’s website listed more than 50 companies in various health care businesses who use Arietis for billing where patients’ data may have been compromised.

The information may have included patient names, dates of birth, driver’s license or other state identification card numbers, addresses, Social Security numbers, medical record numbers, patient account numbers, health insurance information, diagnosis and treatment information, clinical and prescription information, and/or provider information.

Federal database on data breaches

A database of the U.S. Health and Human Services and its office of Civil Rights where companies report breaches does not have the Arietis Health breach listed, which would include the number of people impacted.

Arietis said in an email: "The incident was timely reported to (HHS) on Friday when notifications to impacted individuals were initiated; however, we are told it may take several days for the notice to be posted on the portal by the (Office of Civil Rights) itself. To that end, we expect it will be publicly posted by (HHS) on their portal within the coming days."

The company said that while it is not disclosing the number of patients impacted, it is not aware that any of the patients live in the Fort Myers/Naples area.

Data breaches in the health care industry have become all too commonplace, although HHS said there was a 1% drop in 2022 from the year before.

More: 40 million Americans' health data is stolen or exposed each year. See if your provider has been breached.

The dip was the first decline since 2015 but last year still came in as the second worst year ever for the number of breaches reported behind 2021.

There were 707 data breaches involving 500 people or more in each incident in 2022 while the year prior for 2021 saw 715 breaches.

HHS reports that 51.9 million patient records were impacted by a breach in 2022, down from 54 million records in 2021.

The cost of data breaches to health care businesses is enormous; an analysis last year determined the average cost of a breach this year will be $10 million.

How did the breach happen?

Arietis said it experienced a security incident involving data belonging to its customer, Sentry Anesthesia Management.

On May 31, another company, Progress Software, which is responsible for software called MOVEit, alerted Arietis to a “critical vulnerability” affecting the MOVEit that is widely used to transfer data, according to Arietis.

Arietis began to secure and patch its MOVEit server based on instructions from Progress.

Arietis hired a leading cybersecurity firm that did a probe and determined that Arietis’ server had been breached May 31.

The probe determined that certain information belonging to patients who were administered pain management services or anesthesia in connection to medical services may have been involved.

The investigation found unauthorized actors had access to Arietis’ MOVEit server.

Arietis has sent letters to customers and is offering them credit and identify theft monitoring and encourages enrollment.

In addition, the Arietis has set up a toll-free call center for customers at 855-657-4306 that is available during business hours Monday through Friday.

Here is a list of the healthcare entities impacted:

AmSol Physicians of Elkin, NC PLLC

Anesthesia Company of Houston PLLC

Anesthesia Resources Management Solutions Inc.

Coronado Anesthesia PLLC

Digestive Health Specialists of SE

Dupont Anesthesia PSC

Epix Anesthesia of Alabama LLC

Epix Anesthesia of Tennessee PLLC

Epix Medical Services of Houston PLLC

Gastro South Anesthesia LLC

Gastroenterology Consultants of Augusta PC

GI Associates of West Alabama PC

KBS Anesthesia Inc.

Lehigh Anesthesia Associates PC

Northeast Gastroenterolgy Center Inc.

Northern Tier Gastroenterology Inc.

Northern Virginia Surgery Center Anesthesia LLC

NorthStar Anesthesia II PA

NorthStar Anesthesia III PA

NorthStar Anesthesia of Delaware LLC

NorthStar Anesthesia of Illinois LLC

NorthStar Anesthesia of Indiana II LLC

NorthStar Anesthesia of Indiana LLC

NorthStar Anesthesia of Kansas, LLC

NorthStar Anesthesia of Kentucky PLLC

NorthStar Anesthesia of Michigan II PC

NorthStar Anesthesia of Michigan III PLLC

NorthStar Anesthesia of Michigan LLC

NorthStar Anesthesia of Mississippi LLC

NorthStar Anesthesia of Missouri LLC

NorthStar Anesthesia of Montana PLLC

Northstar Anesthesia of Nebraska, PLLC

NorthStar Anesthesia of Ohio, LLC

NorthStar Anesthesia of Oklahoma PLLC

NorthStar Anesthesia of Pennsylvania LLC

NorthStar Anesthesia of Tennessee PLLC

NorthStar Anesthesia of Virginia LLC

NorthStar Anesthesia of West Virginia PLLC

NorthStar Anesthesia PA

NSA Pain Services of Michigan III PLLC

NSA Pain Services of Michigan PLLC

Nurse Anesthesia of North Carolina PLLC

Orange City Anesthesia Services LLC

PhySynergy, LLC AL

PhySynergy, LLC TN

Professional Anesthesia Group LLC

Professional Anesthesia Services of Kentucky PLLC

River Cities Anesthesia LLC

Riverside Anesthesia Services LLC

Sarasota Anesthesia Services LLC

Sentry Anesthesia Management LLC

Southwest Ohio Anesthesia Consultants LLC

Space Coast Anesthesia LLC

Sunset Anesthesia LLC

This article originally appeared on Naples Daily News: Hacked: Fort Myers billing firm notifies patients of data breach