AspenPointe based in Colorado Springs, a provider of mental health and behavioral health services, has reported a cyberattack in September 2020 that resulted in the potential compromise of patient information. Because of the attack, the healthcare provider had to take down its systems that affected most of its operations for a few days as it took steps to mitigate the attack.
Third-party cybersecurity experts helped investigate the incident, work on system restoration and find out the magnitude of the compromise of patient information. On November 10, 2020, it was confirmed by the review of the documents that the attackers had potentially accessed or acquired patient information.
The breached systems contained documents with the following patient information: names and at least one of these data elements: birth date, driver’s license number, Social Security number, bank account details, Medicaid ID number, diagnosis code, dates of admission/discharge, date of last consultation.
Right after being aware of the breach, AspenPointe performed a password reset. It also implemented more endpoint protection technology to strengthen cybersecurity, made adjustments to the firewall, and enhanced other procedures and network monitoring.
The healthcare provider is now sending notification letters to all persons potentially impacted by the breach and is offering breach victims free membership to IDX credit monitoring services for one year. Breach victims are also covered by an identity theft insurance policy
up to $1 million and, in case required, they will get access to identity theft recovery services.
In AspenPointe’s substitute breach notice, it mentioned that it had not received reports of identity theft, fraud, or misuse of patient data. There is also no evidence found that indicates the attackers actually stole patient data.
AspenPointe submitted the breach report to the Department of Health and Human Services’ Office for Civil Rights and indicated that the attack resulted in the potential compromise of 295,617 patients’ protected health information.