US healthcare provider AspenPointe informed its patients about a data breach that came from a cyber attack of September, with the result hackers steal protected health information (PHI) and personally identifiable information (PII). AspenPointe is a non-profit organization funded by state, federal and local authorities and manages 12 organizations serving more than 50.000 individuals and families each.
In a warning to its patients, AspenPointe said it had discovered that a stranger had obtained unauthorized access on its network between 12 and 22 September. In addition, the agency hired external experts security to investigate the incident and determine if and to what extent sensitive patients' personal information was violated.
An investigation completed on November 10 revealed that patient information such as full names, dates of birth, social security numbers, Medicaid ID numbers, date of last visit, date of admission, date of discharge or diagnostic code.
Although the non-profit organization stated that there is no evidence to prove that data stolen during attack used "inappropriately" by third parties, patients were called upon to protect themselves from possible attempts fraud. Specifically, they were asked to place a security "freeze" or a fraud alert on archives as well as receive a free credit report to detect any attempts at malicious use of their information.
In addition, AspenPointe provides patients affected by data breach with 12 months of credit and follow-up CyberScan, a $ 1.000.000 indemnity insurance policy and services recovery of affected information.
After the attack, the body changed passwords, apply additional protection endpoint, increased monitoring as well as changes firewall. While AspenPointe did not disclose the exact number of patients affected in the incident, the healthcare provider reported the data breach to the US Department of Health and Human Services (HHS) on November 19. According to a report filed with the HHS, 295.617 AspenPointe patients received PHI and PII.