On February 24, 2022, ARcare experienced a data security incident, according to ARcare’s Notice of Data Privacy Incident.  ARcare is a healthcare provider with locations in Arkansas, Kentucky, and Mississippi.  ARcare provides numerous services, such as primary care, behavioral health, pharmacies, and community outreach programs.  As a federally qualified health center, ARcare also provides discounted rates for medical care. 

According to ARcare’s Notice, the incident affected its computer systems and disrupted services temporarily.  And according to the Breach Portal maintained by the U.S. Department of Health and Human Services Office of Civil Rights (OCR), ARcare reported that the data breach potentially affected 345,353 individuals.  ARcare’s Notice explained that it started an investigation, which determined that “an unauthorized actor may have accessed and/or acquired some sensitive data…” After reviewing the contents of the affected data, ARcare determined that the affected files contained personal information, including names, state identification numbers, dates of birth, financial information, Social Security numbers, medical diagnoses or condition information, medical treatment information, and other personal information.  ARcare noted that the exposed information varies based on the patient.  While the alleged unauthorized actor potentially had access to ARcare’s system between January 18, 2022, and February 24, 2022, ARcare is unaware of actual or attempted misuse of the exposed information because of the incident, according to its Notice.  Nonetheless, ARcare reports it is investigating additional security measures to reduce risks associated with the incident.

ARcare’s data incident is unfortunate for the company and the potentially affected individuals.  And data breaches, despite best efforts, continue to be a significant problem for most, if not all, companies and individuals.  A review of the OCR breach portal reflects several reported incidents that potentially affect hundreds of thousands of individuals.  One of the first reported incidents in 2022 was field by Broward Health, which noted over 1.3 million potentially affected individuals.  Adaptive Health Integrations and Magnolia Regional Health suffered data incidents and reported over 510,000 and 490,000 potentially affected individuals, respectively.  These are just a few examples of data incidents affecting large swaths of individuals in 2022 thus far.  

Data incidents continue to increase in frequency and impact.  Chilivis Grubman attorneys discussed the HIPAA Journal’s December 2021 Healthcare Data Breach Report, which highlighted that 2021 had approximately 70 more data breaches than 2020.  The HIPAA Journal also reported that OCR data indicated that 45.7 million healthcare records were exposed in 2021, which may be the second-highest number of exposed records in the last 12 years.

The attorneys at Chilivis Grubman represent clients of all sizes in connection with data breaches and cybersecurity matters, including regulatory obligations and litigation arising therefrom.  If you need assistance with such a matter, please contact us today.