In March 2024, Arisa Health, Inc.—an Arkansas-based behavioral health system that includes Northeast Arkansas Community Mental Health Center, Mid-South Health Systems, Ozark Guidance Center, Inc., and Professional Counseling Associates, Inc. and operates across the state of Arkansas—was targeted in a data breach that led to patients’ highly sensitive information being exposed to cybercriminals. Cybercriminals had access to Arisa Health’s networks for 18 days before the breach was detected. Despite hackers having access to Arisa Health’s network for 18 days in March of 2024, Arisa Health did not inform victims of the data breach until late July 2024 that their personally identifiable and sensitive health information had been stolen. Now, victims of this data breach are at serious risk of their personal identifying and health information being sold on the dark web where criminal can steal patients’ identities. The data breach has likely led to Arisa Health patients’ names, addresses, dates of birth, social security numbers, email addresses, medical records and histories, and drivers’ license numbers being leaked.
Arisa Health had a duty to keep its patients’ personally identifiable information safe and secure. Arisa Health collected and used this information from its patients but failed to implement adequate and reasonable security measure to ensure the this personally identifiable information was safe from unauthorized disclosure. Because of Arisa Health’s failure to properly secure and safeguard its customers’ personally identifiable and sensitive health information, cybercriminals were able to infiltrate Arisa Health’s network, steal this information, and expose it on the dark web for other criminals to use as they see fit.
The Federal Trade Commission has posted numerous guidelines that establish fundamental data security principles for companies like Arisa Health. These guidelines explain that companies should: (1) protect the sensitive consumer information that they keep; (2) properly dispose of personally identifiable information that is no longer needed; (3) encrypt information stored on computer networks; (4) understand their networks vulnerabilities; and (5) implement polies to correct security problems. The FTC’s guidelines recommend that businesses like Arisa Health watch out for large amounts of data being transmitted from the system and have a response plan ready in the event of a breach. These FTC guidelines also recommend that companies like Arisa Health and Trust not maintain information longer than is necessary for authorization of a transaction, limit access to sensitive data, require complex passwords to be use on networks, use industry-based methods for security, monitor for suspicious activity on the network, and verify that third-party service providers have implemented reasonable security measures.
Federal law prohibits organizations like Arisa Health from engaging in unfair or deceptive acts or practices that affect commerce. But Arisa Health’s failure to employ reasonable and appropriate measures to protect its customers from data breaches like these is an unfair act or practice. Arisa Health also owed its customers a duty to design, maintain, and test its computer systems, servers, and networks and to implement reasonable data security practice and procedures to ensure that its customers’ personally identifiable and sensitive health information was secure and protected.
The Federal Bureau of Investigation and U.S. Secret Service have issued warning to potential targets so they can be aware of, prepare for, and hopefully ward of any attempted cyberattacks. But despite these warnings from federal law enforcement agencies and the general knowledge that banks are potential targets of cyberattacks, Arisa Health failed to take appropriate steps to protect its customers from data breaches.
At Poynter Law Group, we understand that customers affected by this data breach likely feel frustrated, anxious, and stressed. On average, more than 26 million Americans are victims of identity theft every year. And data breaches like these are often a reason that someone’s identity is stolen. Victims of data breaches must often spend considerable time and money to mitigate the harm caused by the data breach and are at continued and heightened risk of becoming a victim of fraud or identity theft. If you or someone you know has been affected by the Arisa Health data breach, please reach out to our firm.
Poynter Law Group is a Little Rock-based law firm with proven experience prosecuting complex civil, corporate, consumer, environmental, employment, and medical claims. Poynter Law Group is honored to represent the victims of Arisa Health’s data breach and looks forward to bringing justice on behalf of those harmed by Arisa Health’s failure to protect patients’ personally identifiable and sensitive health information.