Home
Story
Arietis Health data breach demonstrates third-party risk.
Arietis Health data breach demonstrates third-party risk.
By Tim Nodar, CyberWire senior staff writer
Oct 6, 2023

Again: third-party risk to healthcare data.

Arietis Health data breach demonstrates third-party risk.

Medical billing provider Arietis Health has notified patients of fifty-four healthcare entities that their data may have been exposed after an attack against Arietis Health’s MOVEit file transfer server in May 2023. 

Data at risk include personal information.

The potentially exposed data included “patient names, dates of birth, driver’s license or other state identification card numbers, addresses, Social Security numbers, medical record numbers, patient account numbers, health insurance information, diagnosis and treatment information, clinical and prescription information, and/or provider information.”

Zero days afflict even well-prepared organizations.

Ted Miracco, CEO of Approov Mobile Security, reminds us that zero days, by definition, escape patching programs. Patches are always retrospective and reactive.

“This is a reminder that even when organizations take steps to patch known vulnerabilities, they are still at risk of being attacked by cybercriminals who exploit zero-day vulnerabilities,” he wrote. “Cybercriminals, especially state-sponsored groups, are constantly developing new ways to exploit zero-day vulnerabilities, and it can take time for software vendors to develop and release patches. Healthcare organizations especially need to take additional steps to protect themselves from zero-day attacks, such as implementing multi-layered security controls and conducting regular pen testing assessments.”

The importance of addressing third-party risk.

Paul Valente, CEO at VISO Trust, sees this as another instance of third-party risk. “The days of turning a blind-eye on third-party risk are behind us. It's imperative that CISOs take decisive steps to manage this risk. Valente wrote in emailed comments. “Drawing from years of experience as a CISO, it's evident that the MOVEit campaign breach underscores the necessity for modern enterprises to invest in a comprehensive, strategic, and automated third-party risk management program. In an interconnected digital world, overlooking third-party risk is not an option. Organizations must be proactive in addressing this critical facet of cybersecurity to safeguard data, protect their reputation, and meet regulatory obligations.”