On March 1, 2024, attackers quietly slipped into the network of Arisa Health, a behavioral health system serving Arkansas. They stayed for eighteen days. Nobody noticed. By the time the door was closed on March 18, the attackers had walked out with files containing the protected health information of more than 375,000 patients — including names, Social Security numbers, health insurance details, full medical histories, diagnoses, driver’s license numbers, and, in some cases, certifications of substance abuse program completion. Roughly a year and a half later, Arisa agreed to pay $1.9 million to settle the class action that followed.
For any healthcare leader reading this in Orange County — the practice managers in Newport Beach, the dental office owners in Irvine, the small medical groups across Anaheim and Fullerton — the Arisa case isn’t a curiosity. It’s a mirror. Because the things that went wrong at Arisa Health are the same things going wrong, right now, in small and mid-sized healthcare organizations across Southern California. The only difference is whether the bill has arrived yet.
Here’s exactly what happened, what the organization got wrong, and what every OC practice should be checking by Friday.
What actually happened at Arisa Health
The technical story is depressingly familiar. Attackers — almost certainly through phishing or credential theft, the dominant entry points for healthcare breaches in 2024 — gained access to the Arisa Health network on March 1, 2024. They moved laterally, located the file shares containing patient records, and exfiltrated data over a span of nearly three weeks. Detection came late. Notification to affected patients followed months later. The class action lawsuit, Rebecca Miller et al. v. Arisa Health, was filed shortly after. By mid-2025, Arisa had agreed to the $1.9 million settlement.
And here’s what makes this case especially instructive: behavioral health PHI is among the most sensitive data category under federal law. Substance abuse treatment records are covered not only by HIPAA but by 42 CFR Part 2, which carries its own confidentiality and breach-handling requirements. When that data is exposed, the harm to patients is not abstract — it can include job loss, custody disputes, insurance discrimination, and personal stigma that follows people for years. A behavioral health breach is HIPAA’s worst-case scenario for patient impact.
The $1.9 million is the headline number. It is not the full cost. Forensic investigation, breach counsel, mandatory notification under HIPAA and California Civil Code §1798.82, credit monitoring offers, productivity loss, reputation damage, and the substantial risk of follow-on OCR enforcement all sit alongside that figure. IBM’s 2025 Cost of a Data Breach Report puts the average U.S. healthcare breach at $10.22 million — up 9.2% year over year — driven largely by rising regulatory penalties. The settlement is the visible part of the iceberg.
What they did wrong: the four failures that show up in every major breach
The Office for Civil Rights (OCR) has been remarkably consistent in 2024 and 2025 about what it’s seeing in healthcare breaches. In the first five months of 2025 alone, OCR announced ten HIPAA resolution agreements ranging from $25,000 to $3 million — and every single announcement cited failures in the same core HIPAA Security Rule controls. Here’s what kept showing up, and what almost certainly applies to the Arisa incident.
1. No accurate, thorough risk analysis
The HIPAA Security Rule’s foundational requirement is a real, documented risk analysis covering every system that creates, receives, maintains, or transmits electronic protected health information (ePHI). Not a one-page checklist. Not a vendor’s marketing PDF. A genuine assessment of where ePHI lives, how it flows, what could compromise it, and how likely those scenarios are.
OCR’s enforcement pattern in 2025 makes it explicit: this is the single most-cited failure across every settlement. A national medical supplier paid $3 million in 2025 specifically because OCR found the organization had not conducted a “compliant risk analysis” before suffering a phishing-driven breach. Most small healthcare practices in Orange County have either never done one, or did one years ago and never updated it.
2. No detection during the active intrusion
Eighteen days. That’s how long the attackers had unchallenged access to Arisa’s network. In that time they navigated systems, identified valuable data, staged exfiltration, and walked out the front door. The technical controls that would have caught them — endpoint detection and response, security information and event management, behavioral analytics, 24/7 monitoring — either didn’t exist or weren’t being watched.
This is the gap between “we have antivirus” and a real security operation. Antivirus catches yesterday’s malware. It does not flag a credentialed user logging in at 3am from a foreign IP and accessing files they’ve never touched before. That’s what a security operations center is for — and most small healthcare practices don’t have one.
3. Weak access controls and missing multi-factor authentication
Almost every major healthcare breach in 2024–2025 traces back, at some point in the chain, to a compromised credential. Once attackers have a working username and password, they move sideways through the network. The single most effective barrier to this — multi-factor authentication enforced on every account that touches ePHI — is still missing in a startling percentage of small healthcare practices. “MFA on email but not on the EHR.” “MFA for partners but not for the front desk.” Every exception is a doorway.
4. Documentation and training that exists on paper, not in practice
An OCR investigator doesn’t care if your HIPAA policy binder exists. They care whether anyone has read it, whether training records show consistent staff attendance, whether incidents documented in the policy were actually handled the way the policy says. The disconnect between written policy and operational reality is what turns a regulatory inquiry into a settlement.
The “we’re too small to be a target” myth
Walk into ten Orange County medical, dental, or behavioral health practices and you’ll hear the same line in nine of them: “We’re a small practice. Hackers go after the big hospitals.” This was never quite true, and in 2025 it became actively dangerous as a worldview.
Attackers don’t target organizations by size — they target them by exposure and reward. A 12-provider medical group in Newport Beach with weak controls and 8,000 patient records is a far easier, more profitable target than UCI Medical Center. The ransom calculus is the same: the practice can’t operate without its EHR, the data is sensitive enough to coerce payment, and the cybersecurity posture is rarely good enough to refuse. Healthcare is the third-most-targeted industry for cyberattacks in the U.S. — and small healthcare practices now account for the majority of HIPAA breach reports filed each year.
| What practices think they have | What OCR actually expects | What “we did it wrong” costs |
|---|---|---|
| “We had a security review” | A documented, current risk analysis covering all ePHI systems | $3M settlement (national medical supplier, 2025) |
| “We have antivirus” | Endpoint detection, logging, 24/7 monitoring of anomalies | 18+ days of undetected attacker access |
| “MFA on email” | MFA enforced on every system that touches ePHI | $1.9M class action (Arisa Health, 2025) |
| “Backups on a NAS” | Immutable, off-site, tested against ransomware quarterly | Days or weeks of operational shutdown after attack |
| “Training videos every year” | Documented training records, phishing simulations, role-based content | $225K–$800K OCR settlements (multiple, 2025) |
| “Our IT guy handles it” | A real, documented HIPAA security program with assigned officer | Personal liability for the named privacy/security officer |
| “We have a BAA with our vendor” | BAA + documented review of the vendor’s actual security posture | Liability when the business associate breaches |
Why California adds another layer of pain
HIPAA is the federal floor. California stacks more on top. Civil Code §1798.82 requires notice to affected residents and, in larger breaches, to the California Attorney General. The Confidentiality of Medical Information Act (CMIA) carries its own private right of action — patients can sue you directly without proving actual damages, with statutory penalties of $1,000 per violation. Multiply that by 375,000 patients and the numbers start to look very different from the $1.9 million settlement headline.
For OC practices, the practical implication is that a breach triggers multiple regulatory and legal exposures simultaneously: HHS/OCR investigation, California AG notification, CMIA class action exposure, professional licensure board scrutiny, and — if you accept Medicare or Medicaid — potential False Claims Act issues if you’ve been attesting to compliance you don’t actually have. Real cybersecurity for healthcare practices isn’t optional in this environment. It’s load-bearing infrastructure.
What every OC healthcare practice should fix this week
Most of the controls that would have stopped — or at least dramatically shortened — the Arisa intrusion are not exotic. They’re foundational. If you handle PHI in any capacity in Orange County, here’s the list worth running against your actual environment today:
- Run (or update) your HIPAA risk analysis. Documented. Current. Covering every system that touches ePHI. If you can’t find it in 60 seconds, it doesn’t exist for OCR’s purposes.
- Enforce MFA on every account. EHR, email, remote access, billing, the practice management system, the wifi password your front desk knows. Every door. No exceptions for partners or providers.
- Deploy real endpoint detection and response (EDR) and 24/7 monitoring. Antivirus is a seatbelt. EDR is the airbag. You need both, and someone needs to be watching the alerts.
- Test your backups against a ransomware scenario. Not “do they exist.” Can you restore the full EHR in under 24 hours from backups the attackers couldn’t touch?
- Document training and run phishing simulations. The training video is the floor. Quarterly phishing tests with documented results are what OCR wants to see.
- Write — and rehearse — an incident response plan. Who calls breach counsel? What’s the notification timeline for §1798.82? Who talks to media? If those answers come from improvisation, the breach will be worse than it had to be.
- Audit your business associates. Your billing service, your IT vendor, your cloud EHR — they’re all extensions of your HIPAA exposure. The BAA in the file is the start, not the end.
The honest version
Arisa Health didn’t get unlucky. They had the same controls — or lack thereof — as a substantial portion of healthcare practices across the country, and the dice came up against them in March 2024. The eighteen days of undetected access, the missing risk analysis, the gaps in monitoring and MFA — these aren’t unique. They’re typical. And they’re exactly what’s sitting in most small healthcare practices in Orange County right now.
The good news, and it’s real: the work to fix this is well-understood, the controls are not exotic, and a serious managed IT and security partner for healthcare practices in Orange County can have most of it implemented in 60–90 days. The expensive option is the one Arisa Health chose by accident.
Intelecis has been helping Orange County healthcare and dental practices close the gap between “we have IT” and a real HIPAA-compliant security program since 2010. NSA-Accredited, with documented experience supporting medical, dental, and behavioral health environments. Get a free HIPAA security assessment — we’ll show you, in writing, exactly where your gaps are.
Get Your Free HIPAA Assessment →
📞 949-266-2088 · Fullerton, CA · NSA-Accredited · Serving OC since 2010
Related reading:
Cybersecurity Services for OC Healthcare Practices ·
Managed IT Services in Orange County ·
Ransomware Protection for Healthcare Practices ·
Schedule Your Free HIPAA Security Assessment
