Cyber attack on arthritis treatment provider impacted 37,000 patients

Carolina Arthritis Associates said it experienced a data security incident that compromised the sensitive personal information of close to 37,000 individuals.

 

Located in Wilmington, North Carolina, Carolina Arthritis specialises in diagnosing and treating arthritis, autoimmune illnesses, connective tissue diseases, musculoskeletal disorders, and osteoporosis.

 

In a data security incident notice, the healthcare provider said that on September 27, it detected unusual activity that disrupted access to certain internal systems. CAA said it immediately launched an investigation, with assistance from external cyber security experts, to determine the nature and scope of the incident, took steps to secure the affected systems and notified relevant law enforcement authorities about the incident.

 

“The investigation revealed certain personal / protected health information was accessed and acquired without authorisation by an unknown actor on or about September 27, 2024” reads the notice.

 

The compromised data includes names, addresses, dates of birth, driver’s license information, Social Security numbers, medical information, and health insurance information. The incident was reported to the U.S. Department of Health and Human Services Office for Civil Rights where Carolina Arthritis said it identified at least 36,961 individuals who were impacted by the incident. 

 

“As soon as the incident was discovered, Carolina Arthritis notified the Federal Bureau of Investigation and will provide whatever cooperation is necessary to hold the perpetrators accountable. Carolina Arthritis is also taking additional steps to prevent a similar event from occurring in the future,” the healthcare provider added.

 

While Carolina Arthritis found no evidence of the compromised information being misused, it has advised all affected individuals to regularly monitor their credit reports, account and benefit statements and report any suspicious activity to law enforcement authorities, including the police and state attorney general. It has also offered complimentary identity protection and credit monitoring services to all affected individuals.

 

In October, a relatively new ransomware group using the moniker “ThreeAM” claimed responsibility for a cyber attack on Carolina Arthritis Associates and listed the provider as a victim on its data leak site. The group later published the entire stolen database, indicating that negotiations between the two parties over a ransom had failed.