[BreachExchange] Healthcare provider AspenPointe data breach affects 295K patients

[Destry Winant]

https://www.bleepingcomputer.com/news/security/healthcare-provider-aspenpointe-data-breach-affects-295k-patients/

U.S. healthcare provider AspenPointe notified patients of a data
breach stemming from a September 2020 cyberattack that enabled
attackers to steal protected health information (PHI) and personally
identifiable information (PII).

AspenPointe is a nonprofit funded by Medicaid, state, federal, and
local government contracts, as well as donations, that manages 12
organizations serving over 50,000 individuals and families every.

Patients warned of identity fraud risks

"We recently discovered unauthorized access to our network occurred
between September 12, 2020, and approximately September 22, 2020,"
AspenPointe said in a notification sent to clients earlier this month.

The organization hired external security experts to investigate the
incident and find the extent of the information compromise affecting
its network.

"Based on our comprehensive investigation and document review, which
concluded on November 10, 2020, we discovered that your full name and
one or more of the following were removed from our network in
connection with this incident: date of birth, Social Security number,
Medicaid ID number, date of last visit (if any), admission date,
discharge date, and/or diagnosis code."

Even though the nonprofit says that there is no evidence that data
stolen during the attack was improperly used by any third parties,
patients were also urged to safeguard themselves against potential
fraud attempts.

To block identity fraud, users affected by this incident are advised
to place a security freeze or a fraud alert on their credit files, as
well as get a free credit report to detect any fraudulent attempts to
use their information.

AspenPointe also provides those affected by the data breach IDX
identity theft protection services including "12 months of credit and
CyberScan monitoring, a $1,000,000 insurance reimbursement policy, and
fully managed identity theft recovery services."

Data breach affects over 295,000 patients

"Since the incident, we have forced password changes, implemented
additional endpoint protection, increased monitoring, and implemented
firewall changes, among other things," AspenPointe added.

"We continually evaluate and modify our practices and internal
controls to enhance the security and privacy of your personal
information."

A toll-free response line is available to clients who have more
questions about the incident Monday through Friday at 833.920.3180.

While AspenPointe did not disclose the number of patients affected in
this incident, the healthcare provider reported the data breach to the
U.S. Department of Health and Human Services (HHS) on November 19th.

The report filed with the HHS says that 295,617 AspenPointe clients
had their PHI and PII data stolen by the attackers in this incident.

An AspenPointe spokesperson was not immediately available for comment
after being contacted by BleepingComputer earlier today.