Coming soon, new details >> American Renal Associates, nearly 20,000 patients are affected by the data breach
Coming soon, new details >> American Renal Associates, nearly 20,000 patients are affected by the data breach
03/20/2024 Marco A. De Felice aka amvinfe
Coming soon, new details >> American Renal Associates, nearly 20,000 patients are affected by the data breach 1
Share via:
Twitter
LinkedIn
UPDATE 3/27/2024
In the next few days, we will update the article with new details and additional documentation regarding the data theft perpetrated against American Renal Associates, as well as with a revision of the number of individuals involved in the theft and publication of PHI and PII data.
The American Renal Associates (now known as Innovative Renal Care), with over 230 locations across the United States, has become the latest victim in the clinical-hospital sector of a ransomware attack. Recently, the Medusa group has made thousands of PHI and PII data stolen from the company’s servers on March 2nd publicly available on their website within the Tor networks.
One week ago, we published an article describing the case of hundreds of thousands of sensitive data stolen by the BianLian ransomware group from Akumin Corp. and over 100 affiliated clinical-hospital facilities. This article aims to once again highlight the shortcomings of a company that daily manages and stores sensitive data on its servers without adequate protections against external cyber attacks. Additionally, we will seek to make readers understand the inability of American Renal Associates (ARA) to implement data protection practices for PHI and PII relating to patients, employees, and suppliers.
During 2021, ARA, headquartered in Beverly, MA, merges with Innovative Renal Care (IRC), a network of dialysis professionals dedicated to caring for individuals with kidney diseases. However, to gain a deeper understanding of who ARA is, it is necessary to take a step back to 2016.
2016 is the year when ARA was called to respond to allegations made by UnitedHealth Group Inc. (UHC), headquartered in Minnetonka, Minnesota. UHC alleged that the provider had recruited patients with kidney diseases by paying their insurance premiums, thus enabling ARA to bill dialysis services at inflated rates.
In the complaint filed in June 2016, UnitedHealth accused ARA of persuading end-stage renal disease patients, eligible for Medicare and Medicaid, to obtain insurance coverage with them. Despite government plans reimbursing $200/$300 per dialysis treatment, the complaint asserted that ARA, by leveraging its out-of-network status with UnitedHealth’s commercial plans, billed up to $4,000 for the same services.
UHC had identified a list of 27 different patients in Florida and Ohio. The Minnesota-based company stated that these were “exaggerated reimbursement requests” for the period from March 2016 to May 2016, which included requests of up to $4,473 per outpatient dialysis visit. For these patients, American Renal Associates had requested compensation exceeding $2.2 million, with UnitedHealth subsequently paying out over $1.9 million.
The lawsuit concluded with ARA being forced to pay $32 million to UnitedHealth to settle the allegations of patient management and excessive billing practices.
American Renal Associates and UnitedHealthcare Reach Settlement
Regarding the data stolen by Medusa, we have had the opportunity to examine a series of documents that recently came into our possession. The files contain PHI and PII data of patients residing in various U.S. states who received treatment at ARA facilities.
In the table below, we list the American Renal Associates clinical facilities across the U.S., with data updated as of December 2022.
View Fullscreen
We have examined several files, including the file Patient_20230101_20231108.csv, whose data covers the period from January 2023 to November 2023. In this specific file, the total number of patients affected by the data breach is 14,595.
The following patient data is included in the file:
Name and surname of the patient
Date of birth
Gender
Marital status
Language
Race
First Ever Dialysis Date
Zip code
State
Within the file, there is also the “RenesanMRN” field, which allows identifying the patient’s identity even when the data in the file do not provide complete personal information. With the “RenesanMRN” field, it is possible to access information regarding the patient’s condition, laboratory tests performed, admission dates, medical treatments received, insurance name and type, and other related sensitive information.
Below, we display the details of a patient extracted from the calculation files we have examined.
Coming soon, new details >> American Renal Associates, nearly 20,000 patients are affected by the data breach 2
(a) Patient data – Screenshot and redaction by SuspectFile.com
Coming soon, new details >> American Renal Associates, nearly 20,000 patients are affected by the data breach 3
(a) Patient problems – Screenshot and redaction by SuspectFile.com
Coming soon, new details >> American Renal Associates, nearly 20,000 patients are affected by the data breach 4
(a) Laboratory results – Screenshot and redaction by SuspectFile.com
In the following images, the PHI and PII data of another patient are displayed.
Coming soon, new details >> American Renal Associates, nearly 20,000 patients are affected by the data breach 5
(b) Patient data – Screenshot and redaction by SuspectFile.com
Coming soon, new details >> American Renal Associates, nearly 20,000 patients are affected by the data breach 6
(b) Laboratory results – Screenshot and redaction by SuspectFile.com
Coming soon, new details >> American Renal Associates, nearly 20,000 patients are affected by the data breach 7
(b) Hospitalization – Screenshot and redaction by SuspectFile.com
Coming soon, new details >> American Renal Associates, nearly 20,000 patients are affected by the data breach 8
(b) Social Review – Screenshot and redaction by SuspectFile.com
Coming soon, new details >> American Renal Associates, nearly 20,000 patients are affected by the data breach 9
(b) Problem – Screenshot and redaction by SuspectFile.com
Coming soon, new details >> American Renal Associates, nearly 20,000 patients are affected by the data breach 10
(b) Insurance – Screenshot and redaction by SuspectFile.com
As mentioned, the names of patients within the calculation files can be easily traced along with their medical conditions, thanks to the unique number assigned to each patient, present in the “RenesanMRN” field.
The file tree remains accessible on the Medusa group’s website, consisting of over 200,000 rows of filenames, some of which date back to documents nearly 15 years old. These files include administrative documents, driver’s licenses, passports, and social security numbers (SSNs).
SuspectFile.com was unable to determine the exact number of individuals involved in the data breach, as the names of patients in the files often repeat numerous times. This occurs because over the years, the same patient may have undergone various medical tests or treatments on different dates. However, we can confirm with certainty that at least another 4,700 different individuals are involved in the remaining analyzed files.
Access_20230101_20231108.csv
Dialysis_20230101_20231108.csv
Hospitalization_20230101_20231108.csv
LabResults_20230101_20231108.csv
Medication_20230101_20231108.csv
Problems_20230101_20231108.csv
SocialReview_20230101_20231108.csv
Transfusion_20230101_20231108.csv
Transplant_20230101_20231108.csv
Insurance_20230101_20231108.csv
Recently, we sent an email to American Renal Associates to request a statement regarding the case. As of now, we have not received any response. We will update the article with any new details as they arise.
03/20/2024 Marco A. De Felice aka amvinfe
Coming soon, new details >> American Renal Associates, nearly 20,000 patients are affected by the data breach 1
Share via:
UPDATE 3/27/2024
In the next few days, we will update the article with new details and additional documentation regarding the data theft perpetrated against American Renal Associates, as well as with a revision of the number of individuals involved in the theft and publication of PHI and PII data.
The American Renal Associates (now known as Innovative Renal Care), with over 230 locations across the United States, has become the latest victim in the clinical-hospital sector of a ransomware attack. Recently, the Medusa group has made thousands of PHI and PII data stolen from the company’s servers on March 2nd publicly available on their website within the Tor networks.
One week ago, we published an article describing the case of hundreds of thousands of sensitive data stolen by the BianLian ransomware group from Akumin Corp. and over 100 affiliated clinical-hospital facilities. This article aims to once again highlight the shortcomings of a company that daily manages and stores sensitive data on its servers without adequate protections against external cyber attacks. Additionally, we will seek to make readers understand the inability of American Renal Associates (ARA) to implement data protection practices for PHI and PII relating to patients, employees, and suppliers.
During 2021, ARA, headquartered in Beverly, MA, merges with Innovative Renal Care (IRC), a network of dialysis professionals dedicated to caring for individuals with kidney diseases. However, to gain a deeper understanding of who ARA is, it is necessary to take a step back to 2016.
2016 is the year when ARA was called to respond to allegations made by UnitedHealth Group Inc. (UHC), headquartered in Minnetonka, Minnesota. UHC alleged that the provider had recruited patients with kidney diseases by paying their insurance premiums, thus enabling ARA to bill dialysis services at inflated rates.
In the complaint filed in June 2016, UnitedHealth accused ARA of persuading end-stage renal disease patients, eligible for Medicare and Medicaid, to obtain insurance coverage with them. Despite government plans reimbursing $200/$300 per dialysis treatment, the complaint asserted that ARA, by leveraging its out-of-network status with UnitedHealth’s commercial plans, billed up to $4,000 for the same services.
UHC had identified a list of 27 different patients in Florida and Ohio. The Minnesota-based company stated that these were “exaggerated reimbursement requests” for the period from March 2016 to May 2016, which included requests of up to $4,473 per outpatient dialysis visit. For these patients, American Renal Associates had requested compensation exceeding $2.2 million, with UnitedHealth subsequently paying out over $1.9 million.
The lawsuit concluded with ARA being forced to pay $32 million to UnitedHealth to settle the allegations of patient management and excessive billing practices.
American Renal Associates and UnitedHealthcare Reach Settlement
Regarding the data stolen by Medusa, we have had the opportunity to examine a series of documents that recently came into our possession. The files contain PHI and PII data of patients residing in various U.S. states who received treatment at ARA facilities.
In the table below, we list the American Renal Associates clinical facilities across the U.S., with data updated as of December 2022.
View Fullscreen
We have examined several files, including the file Patient_20230101_20231108.csv, whose data covers the period from January 2023 to November 2023. In this specific file, the total number of patients affected by the data breach is 14,595.
The following patient data is included in the file:
Name and surname of the patient
Date of birth
Gender
Marital status
Language
Race
First Ever Dialysis Date
Zip code
State
Within the file, there is also the “RenesanMRN” field, which allows identifying the patient’s identity even when the data in the file do not provide complete personal information. With the “RenesanMRN” field, it is possible to access information regarding the patient’s condition, laboratory tests performed, admission dates, medical treatments received, insurance name and type, and other related sensitive information.
Below, we display the details of a patient extracted from the calculation files we have examined.
Coming soon, new details >> American Renal Associates, nearly 20,000 patients are affected by the data breach 2
(a) Patient data – Screenshot and redaction by SuspectFile.com
Coming soon, new details >> American Renal Associates, nearly 20,000 patients are affected by the data breach 3
(a) Patient problems – Screenshot and redaction by SuspectFile.com
Coming soon, new details >> American Renal Associates, nearly 20,000 patients are affected by the data breach 4
(a) Laboratory results – Screenshot and redaction by SuspectFile.com
In the following images, the PHI and PII data of another patient are displayed.
Coming soon, new details >> American Renal Associates, nearly 20,000 patients are affected by the data breach 5
(b) Patient data – Screenshot and redaction by SuspectFile.com
Coming soon, new details >> American Renal Associates, nearly 20,000 patients are affected by the data breach 6
(b) Laboratory results – Screenshot and redaction by SuspectFile.com
Coming soon, new details >> American Renal Associates, nearly 20,000 patients are affected by the data breach 7
(b) Hospitalization – Screenshot and redaction by SuspectFile.com
Coming soon, new details >> American Renal Associates, nearly 20,000 patients are affected by the data breach 8
(b) Social Review – Screenshot and redaction by SuspectFile.com
Coming soon, new details >> American Renal Associates, nearly 20,000 patients are affected by the data breach 9
(b) Problem – Screenshot and redaction by SuspectFile.com
Coming soon, new details >> American Renal Associates, nearly 20,000 patients are affected by the data breach 10
(b) Insurance – Screenshot and redaction by SuspectFile.com
As mentioned, the names of patients within the calculation files can be easily traced along with their medical conditions, thanks to the unique number assigned to each patient, present in the “RenesanMRN” field.
The file tree remains accessible on the Medusa group’s website, consisting of over 200,000 rows of filenames, some of which date back to documents nearly 15 years old. These files include administrative documents, driver’s licenses, passports, and social security numbers (SSNs).
SuspectFile.com was unable to determine the exact number of individuals involved in the data breach, as the names of patients in the files often repeat numerous times. This occurs because over the years, the same patient may have undergone various medical tests or treatments on different dates. However, we can confirm with certainty that at least another 4,700 different individuals are involved in the remaining analyzed files.
Access_20230101_20231108.csv
Dialysis_20230101_20231108.csv
Hospitalization_20230101_20231108.csv
LabResults_20230101_20231108.csv
Medication_20230101_20231108.csv
Problems_20230101_20231108.csv
SocialReview_20230101_20231108.csv
Transfusion_20230101_20231108.csv
Transplant_20230101_20231108.csv
Insurance_20230101_20231108.csv
Recently, we sent an email to American Renal Associates to request a statement regarding the case. As of now, we have not received any response. We will update the article with any new details as they arise.
