Healthcare Provider AspenPointe Data Breach Affects 295K Patients

U.S. healthcare provider AspenPointe notified patients of a data breach stemming from a September 2020 cyberattack that enabled attackers to steal protected health information (PHI) and personally identifiable information (PII).

AspenPointe is a nonprofit funded by Medicaid, state, federal, and local government contracts, as well as donations, that manages 12 organizations serving over 50,000 individuals and families every.

Patients warned of identity fraud risks

“We recently discovered unauthorized access to our network occurred between September 12, 2020, and approximately September 22, 2020,” AspenPointe said in a notification sent to clients earlier this month.

The organization hired external security experts to investigate the incident and find the extent of the information compromise affecting its network.

“Based on our comprehensive investigation and document review, which concluded on November 10, 2020, we discovered that your full name and one or more of the following were removed from our network in connection with this incident: date of birth, Social Security number, Medicaid ID number, date of last visit (if any), admission date, discharge date, and/or diagnosis code.”

Even though the nonprofit says that there is no evidence that data stolen during the attack was improperly used by any third parties, patients were also urged to safeguard themselves against potential fraud attempts.

Also Read: Letter of Consent MOM: Getting the Details Right

To block identity fraud, users affected by this incident are advised to place a security freeze or a fraud alert on their credit files, as well as get a free credit report to detect any fraudulent attempts to use their information.

AspenPointe also provides those affected by the data breach IDX identity theft protection services including “12 months of credit and CyberScan monitoring, a $1,000,000 insurance reimbursement policy, and fully managed identity theft recovery services.”

Data breach affects over 295,000 patients

“Since the incident, we have forced password changes, implemented additional endpoint protection, increased monitoring, and implemented firewall changes, among other things,” AspenPointe added.

“We continually evaluate and modify our practices and internal controls to enhance the security and privacy of your personal information.”

A toll-free response line is available to clients who have more questions about the incident Monday through Friday at 833.920.3180.

While AspenPointe did not disclose the number of patients affected in this incident, the healthcare provider reported the data breach to the U.S. Department of Health and Human Services (HHS) on November 19th.

The report filed with the HHS says that 295,617 AspenPointe clients had their PHI and PII data stolen by the attackers in this incident.

Also Read: A Look at the Risk Assessment Form Singapore Government Requires

An AspenPointe spokesperson was not immediately available for comment after being contacted by BleepingComputer earlier today.