The American Renal Associates (ARA) provides care to patients suffering from end-stage renal disease (ESRD) and is one of the largest dialysis service providers in the United States.
In a previous article, we reported on the theft of PHI and PII data from the servers of American Renal Associates by the Medusa ransomware group, which occurred on March 2nd. However, further investigations conducted recently have revealed a more serious situation than initially described.
Initially, it was believed that around 20,000 patients residing in various cities across the United States were involved in the data theft, but the actual number appears to be much higher. According to new documents examined, the number of patients involved is estimated to be over 37,700, although this figure is not definitive. Additionally, it is important to consider the number of employees and suppliers who have worked or are currently working for the U.S. company.
On the American Renal Associates website, there is a list of 237 facilities across 26 states in the United States. However, among the data exfiltrated by Medusa, we found Excel tables with different numbers. In a document named “Current Contracts 2024.xlsx,” within the “Sheet2” tab, the total number of facilities across 28 states is listed as 247. In another Excel document named “Facility Matrix.xlsx,” within the “Active facilities” tab, the total number of facilities is listed as 226. Therefore, it remains difficult to ascertain the actual number of ARA facilities present in the United States.
These are the types of PHI (Protected Health Information) and PII (Personally Identifiable Information) data in the hands of Medusa:
- Full names of patients
- Dates of birth
- Copies of patients’ medical records
- Copies of Social Security Numbers (SSNs)
- Copies of passports
- Copies of driver’s licenses
- Phone numbers
- Email accounts (including private ones)
- Health insurance information
- Administrative documents
- Company contracts
- Bank account numbers of ARA facilities
- Names of ARA facilities that have been closed (66)
“Health-Insurance” – Redaction by SuspectFile.com
As previously mentioned, all documents were exfiltrated and encrypted by Medusa, with the quantity of files still in the possession of the ransomware group exceeding 5TB. It’s important to note that the data has been made public by Medusa on their blog within the Tor networks. Additionally, a user on an illegal forum, where stolen documents are bought and sold, posted this message last March.
Additionally, we know that hundreds of computers were affected by the cyberattack.
To date, over a month since the data theft occurred, we haven’t come across any official statements from ARA or Innovative Renal Care (IRC). Similarly, there haven’t been any reported figures on the U.S. Department of Health and Human Services website. This leads us to speculate that perhaps the data breach has not yet been reported by ARA and that those affected may still be unaware of the situation.
On the IRC website, there is this document titled “CODE OF ETHICS AND CONDUCT“ where at point 2 letter ‘d’ it reads
Confidentiality of Patient Information. We are obligated under the federal law known as HIPAA
and related state privacy laws to safeguard the security of electronic patient information and
safeguard the confidentiality of all patient information (“PHI”), in any form. You are responsible
for accessing, using and disclosing patient PHI only as allowed by law and by IRC HIPAA
Compliance Policies, and as described in our Notice of Privacy Practices. You must strive to
safeguard patient information and prevent breaches. If you become aware of a potential breach,
you need to report it to the Privacy Officer immediately.
We report another passage of the document that seems important to us and that we hope has not been disregarded by IRC.
Cooperation With Government Investigations. We are committed to responding appropriately and
in a forthright manner to any government investigation, inquiry, audit or request. Our Law
Department’s role is to ensure our responses are appropriate and avoids duplicity of effort, and for
that reason, anyone contacted by a governmental agency should contact the Law Department so it
may coordinate the response.
In the following images, we will present redacted PHI documents of two patients who have undergone medical treatment at the Howard University Dialysis Center (District of Columbia)
In another document we reviewed, there are logs detailing the access histories of 596 patients to the Howard University Dialysis Center, including their medical histories. Note: we will present the medical history of only one patient.
From the theft of these documents, we can better understand the severity of the situation involving ARA, a situation that repeats itself every time a medical institution is targeted by ransomware groups.
What we will never tire of repeating is the total lack, by many companies that handle and store such sensitive data, of a serious and effective security plan capable of preventing such losses. In these cases, the privacy of citizens is not only not protected but, in the “best-case scenario,” victims only become aware of the loss of their data after many months.
Two weeks ago, we contacted American Renal Associates again, and we know that our email was opened and read. However, to date, no response to our inquiries has been provided by the American company.
We will update the article as soon as we are able to provide further details on the case.