Arkansas Heart Hospital Affected in Vendor's Data Breach

On March 15, 2025, Arkansas Heart Hospital was notified by one of its vendors about a cybersecurity incident involving unauthorized access to patient data contained within electronic medical records.

The hospital clarified that the breach did not affect any systems directly owned, operated, or administered by Arkansas Heart Hospital itself. Instead, the breach occurred within the vendor's systems used to process data during the hospital's ongoing transition to a new electronic medical record system. Arkansas Heart Hospital was not the only medical care provider impacted by this incident.

The vendor's investigation revealed that the unauthorized access occurred between January 22, 2025, and February 20, 2025. Based on the information available, Arkansas Heart Hospital believes the breach may have affected individuals who received care at their facilities between January 1, 2022, and January 31, 2025.

The types of patient information potentially exposed include personally identifiable information (PII), such as names, addresses, phone numbers, email addresses, dates of birth, Social Security numbers, maiden names, marital status, ethnicity, language, religious affiliation, death/deceased status, and living will indicators.

Protected health information (PHI) was also potentially compromised, including treatment and diagnosis details, prescription information, provider names, medical record or case numbers, health insurance information, and patient sex.

Currently, Arkansas Heart Hospital is working to identify and obtain address information for potentially impacted individuals so they can provide notification via U.S. Mail.

Arkansas Heart Hospital's response

Arkansas Heart Hospital has arranged to provide impacted individuals with access to credit monitoring and identity protection services. Patients who believe they might be affected or who have further questions are encouraged to enroll in these services by calling 1-833-998-7785 between 7:00 a.m. and 7:00 p.m. Central Time, Monday through Friday, excluding holidays. Alternatively, individuals may reach out by mail at 1701 South Shackleford Rd., Little Rock, AR 72211.

Arkansas Heart Hospital recommends that potentially impacted individuals remain vigilant against identity theft and fraud. Patients should regularly review their credit reports, account statements, and explanation of benefits forms for suspicious activity or errors.

Under U.S. law, individuals are entitled to one free credit report annually from each of the three major credit reporting bureaus—TransUnion, Experian, and Equifax. To order a free credit report, visit AnnualCreditReport.com or call 1-877-322-8228.

Patients also have the right to place an initial or extended fraud alert on their credit files at no cost. Victims of identity theft are entitled to an extended fraud alert lasting seven years. Alternatively, individuals can place a credit freeze on their credit reports, preventing credit, loans, and services from being approved without consent. Federal law prohibits charging fees to place or lift a credit freeze.

To place a fraud alert or credit freeze, patients should contact the three major credit reporting bureaus directly:

• TransUnion: 1-800-680-7289 or transunion.com
• Experian: 1-888-397-3742 or experian.com
• Equifax: 1-888-298-0045 or equifax.com

For additional information on identity theft, fraud alerts, credit freezes, and steps to protect personal information, individuals can visit the Federal Trade Commission's identity theft website, call 1-877-ID-THEFT (1-877-438-4338), or contact their state Attorney General.

The full consumer notice from Arkansas Heart Hospital regarding this data breach can be viewed on their website at Arkansas Heart Hospital's Notice of Data Incident.

More information about the hospital can be found on their official website at arheart.com.