US-based healthcare provider AspenPointe has recently informed patients it has suffered a data leak resulting from a cyberattack back in September.

The breach allowed hackers to obtain extremely sensitive information. The data exposed in the breach involved both personally identifiable information (PII) and protected health information (PHI).

A not-for-profit entity, AspenPointe receives funds from Medicaid, federal, state and local contracts from the government, along with donations. It currently operates 12 different organisations that serve more than 50,000 families and individuals.

Patients notified of potential threats from identity fraud

A notification from AspenPointe was issued to its clients recently, stating that it had uncovered unauthorised network access that likely took place in the time period between September 12th and 22nd, 2020. It added that it had employed a team of external security specialists to look into the incident and determine the full extent of any data compromise that had negatively impacted its networks and the data kept on file.

It informed clients:

“Based on our comprehensive investigation and document review, which concluded on November 10, 2020, we discovered that your full name and one or more of the following were removed from our network in connection with this incident: date of birth, Social Security number, Medicaid ID number, date of last visit (if any), admission date, discharge date, and/or diagnosis code.”

Although the healthcare provider states that no evidence indicates any data taken in the recent attack was used illegally by third parties, all concerned patients were encouraged to protect themselves from possible fraudulent activity.

In order to mitigate potential identity fraud, clients impacted by the leak are advised to establish fraud alerts and security freezes on all of their credit profiles, and arrange for free credit reports to identify any attempts to make use of their data for fraud. In support, AspenPointe is providing clients affected by the breach with IDX protection services that include:

“12 months of credit and CyberScan monitoring, a $1,000,000 insurance reimbursement policy, and fully managed identity theft recovery services.”

What further steps have been taken since the data breach?

Along with the required reporting and its subsequent investigation since the September incident, the non-profit entity has taken additional measures to safeguard client data. It has enforced a change of passwords and deployed extra endpoint protection. It has also made alterations to its dedicated firewall and increased its level of internal monitoring.

The healthcare provider commented:

“We continually evaluate and modify our practices and internal controls to enhance the security and privacy of your personal information.”

For clients with questions and concerns regarding the data breach, the firm has also set up free response line where they can contact the company. While AspenPointe did not publicly disclose how many patients were impacted in the data leak, it did submit a report to the Department of Health and Human Services (HHS) for the US. The filed document stated clearly that 295,617 clients of AspenPointe had both PII and PHI stolen in the incident.