On March 18, 2024, Arisa Health experienced a cybersecurity incident that disrupted connectivity to its networks. Following the discovery of the issue, the organization initiated a thorough investigation with external cybersecurity experts.
On May 20, 2024, Arisa confirmed that between March 1 and March 18, 2024, certain files containing protected health information (PHI) may have been accessed without authorization. Arisa Health began notifying patients on July 19.
Following the breach, a class action lawsuit was signed by plaintiff Nicholas Burgess on July 31, 2024. Allegations were made regarding Arisa’s failure to implement adequate cybersecurity measures.
August 31, 2022, Arisa Health Inc., along with its affiliate, Northeast Arkansas Community Mental Health Center Inc. agreed to pay $25,807.01 after self disclosing violations of the Civil Monetary Penalties Law to the Office of Inspector General (OIG).
The issue arose when it was determined that Arisa had employed an individual whom they knew or should have known was excluded from participation in federal healthcare programs. The self disclosure demonstrated Arisa’s acknowledgment of the violation and its commitment to rectifying the situation.
The lawsuit document provides, “The Data Breach resulted from Defendant’s failure to implement adequate and reasonable cyber-security procedures and protocols necessary to protect individuals’ Private Information with which they were entrusted for either treatment or employment or both.”
Related: HIPAA Compliant Email: The Definitive Guide
It refers to any individually identifiable health information that is held by a covered entity.
The act of voluntarily revealing information relating to specific conduct or action that may violate regulations.
It is a US law that sets standards for protecting the privacy and security of individuals' medical information.