PHI of 295K Patients Potentially Exposed Due to AspenPointe Cyberattack

AspenPointe Colorado Springs encountered a cyberattack last September 2020 that led to potential patient data exposure. This provider of mental health and behavioral health services decided to shut down its systems while mitigating the attack. But its operations were disrupted for a few days.

Third-party cybersecurity specialists investigated the breach to know the extent of patient data compromise and helped with system restoration. On November 10, 2020, the investigators confirmed the potential access or acquisition of patient records by the attackers.

The documents in the breached systems included patient data such as names and one or more of the following information: birth date, Social Security number, bank account information, driver’s license number, Medicaid ID number, diagnosis code, date of last consultation and dates of admission/discharge.

Upon discovery of the breach, AspenPointe did a total password reset. It also used additional endpoint protection technology to reinforce cybersecurity, tweaked its firewall, and upgraded other processes and network tracking.

The healthcare provider is currently mailing breach notification letters to all patients possibly affected by the attack and is offering them complimentary IDX credit monitoring membership for 12 months. Breach victims are additionally protected by as much as $1 million identity theft insurance plan and, in case warranted, they get identity theft recovery services as well.

In the substitute breach notice issued by AspenPointe, there is no mention of reported fraud, identity theft, or misuse of patient information. There’s also no proof found with regards to actual patient data theft by the attackers.

The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicated the potential impact of the attack on the protected health information (PHI) of 295,617 patients.