Sensitive medical and other personal data was potentially exposed


ARcare, a US healthcare provider with facilities in Arkansas, Kentucky, and Mississippi, has admitted a data breach potentially affecting 345,000 individuals.

“On February 24, 2022, ARcare experienced a data security incident that impacted its computer systems and caused a temporary disruption to services,” reads a data breach alert published by ARcare, which provides discounted medical care in underserved communities via medical centers, pharmacies, and school-based clinics.

“ARcare immediately worked to secure its systems and quickly commenced an investigation to confirm the nature and scope of the incident.”

That investigation concluded on March 14 that a malicious hacker had access to ARcare’s network over a five-week period between January 18 and February 24.

Exposed data

Potentially exposed data, which varied by individual, included “names, Social Security numbers, drivers’ license or state identification numbers, dates of birth, financial account information, medical treatment information, prescription information, medical diagnosis or condition information, and health insurance information”.

ARcare said it is “unaware of any or actual or attempted misuse of the affected information as a result of this incident”.


Catch up on the latest data breach news


On April 4, the healthcare provider determined that personal information relating to individuals was exposed and on April 25 began notifying potentially impacted individuals and regulators. The US Department of Health and Human Services (HSS) was notified that 345,353 individuals may have been affected.

“ARcare is reviewing and updating existing policies and procedures relating to data protection and security,” reads the data breach alert.

“ARcare is also investigating additional security measures to mitigate any risk associated with this incident and to better prevent future similar incidents.”

Potentially impacted individuals are “encouraged to remain vigilant against events of identity theft by reviewing account statements, explanation of benefits, and monitoring free credit reports for suspicious activity and to detect errors”, said ARcare. “Any suspicious activity should be reported to the appropriate insurance company, health care provider, or financial institution.”

The Daily Swig has contacted ARcare for further comment. We will update this story if we get a response.


DON’T MISS Utah Consumer Privacy Act: New legislation adds another wrinkle to the US legal landscape