Share this article on:
Aspire Home Care and Hospice Cyberattack Exposes 4,278 Patient Records. One of Oklahoma’s largest providers of home health services has announced it has become the victim of a cyberattack, after being targeted by criminals looking to take advantage of the terminally ill. The Aspire Home Care and Hospice cyberattack has resulted in the perpetrators obtaining highly sensitive Protected Health Information of 4,278 patients; information that used to steal identities and rack up debts in the victims’ names.
Aspire Home Care and Hospice, the new name for Indian Territory Home Health and Hospice, provides a range of home health and hospice services to state residents. The organization’s nurses, therapists, and social workers are committed to helping patients live with dignity and independence in their own homes.
Hackers First Gained Access to Email Accounts in July 2015
The perpetrator of the attack first gained access to email accounts in late July, and potentially obtained patient names, dates of birth, Social Security numbers and insurance information, placing the victims at a particularly high risk of suffering identity theft, medical and insurance fraud.
Other data obtained by the hacker(s) include: addresses and telephone numbers, prescription information, medical record numbers and some medical and clinical information. No financial details were obtained, and neither were credit or debit card numbers.
The breach notice posted on the Aspire Home Care website does not explain the exact nature of the cyberattack in detail, although the breach notice submitted to the Department of Health and Human Services’ Office for Civil Rights lists the attack as having occurred via email, suggesting email accounts were compromised as part of a spear phishing campaign. Phishing is one of the main methods used by cybercriminals to gain access to confidential patient healthcare information.
Aspire Home Care was alerted to the hacking incident on August 10, 2015 and immediately began an investigation to determine the scope of the attack and the patients affected. As required by HIPAA, Aspire performed a full security assessment and risk analysis after the discovery of the breach and notified the Office for Civil Rights on October 9, 2015.
In order to prevent any further access to patient data, the email accounts of the “targeted users” were disabled and passwords were reset. Aspire will continue to monitor and review its systems and will be implementing a range of additional security measures to reduce the risk of future cyberattacks. One of those measures is the implementation of an intrusion detection system to ensure that any future cyberattacks can be rapidly identified. Audit technology will also be used.
Due to the high risk of identity theft and fraud, all affected individuals have been offered identity theft monitoring services for a period of one year without cost.
Cyberattack Risk Mitigation
Since insurance information has been compromised in the attack, all victims should obtain their Explanation of Benefits (EoB) statements and must monitor them closely for any sign of fraudulent activity. If suspicious activity is noticed, it should be reported to the insurance company. It is also worthwhile placing a credit freeze on accounts to increase security and reduce the risk of fraud. Credit monitoring services are not activated automatically. Details of how to sign up for the services are being provided in the patient breach notification letters sent by Aspire. Further information can be obtained from Aspire on 1-580-341-9226 or 888-285-5162.