ARx Patient Solutions says it suffered a cyberattack in 2022 that may have exposed personal details relating to more than 40,000 people, many of them child patients. Why it took it so long to make the disclosure is unclear.
The Kansas-based healthcare provider made the disclosure on its website and notified the Attorney General’s Office of Maine, which imposes strict reporting requirements on any data breaches involving its residents, on July 3rd.
Just 526 Maine residents were affected, but the total number of potential victims comes to 41,166, according to the Attorney General — it isn’t clear whether these are all patients or if that figure also includes details of third-party contractors that might have been kept on ARx’s internal systems.
What does seem sure is that the healthcare firm suffered a system intrusion in March last year that exposed details including child patients’ names, prescription information, insurance and account numbers, the names of their doctors and, in some cases, Social Security numbers.
ARx made this disclosure in a letter of notification sent to affected parties on June 30th, 2023, although it also claims that “based on our investigation and dark web monitoring, there is no evidence of misuse of any of this information.”
ARx will be hoping it is right about this: its investigation took more than a year to reach its final verdict, following a cyber break-in after “an employee email account was compromised and accessed by an unauthorized third party.”
“On discovery of the incident, we disabled the account, contained the disruption, engaged an industry-leading cybersecurity firm to complete an investigation and accelerated implementation of key initiatives to strengthen our systems and security protocols,” said ARx.
The letter of disclosure to patients’ parents added: “Based on findings from the investigation, ARx Patient Solutions has determined that personal information belonging to your child was contained in files within the email account and potentially accessed by an unauthorized third party.”
The company has offered a year’s worth of free credit monitoring and identity theft protection services to parents.
It also claims that since the attack it has “strengthened systems and protocols for our employees, patients and customers by implementing [...] threat monitoring systems, proactive vulnerability management programs, active systems scanning, and significant investments in the Security Operations department.”
More from Cybernews:
Subscribe to our newsletter