HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Protected Health Information Stolen in Aspire Health Phishing Attack

Aspire Health, a Nashville, TN-based provider of in-home services for patients diagnosed with serious illnesses, has experienced a phishing attack that resulted in the email account of an employee being accessed by an unauthorized individual.

Once access to the email account was gained, the attacker forwarded 124 emails to an external email account. Several of the forwarded email messages contained the protected health information of patients and “confidential and proprietary information and files”.

According to a statement issued by a spokesperson for Aspire Health, breach notification letters have already been sent to a “small handful” of its patients, although the exact number affected by the breach has not been disclosed. The data breach has yet to appear on the Department of Health and Human Services’ Office for Civil Rights’ breach portal.

As is the case with many phishing scams, an email was sent to the employee which contained a hyperlink to a website which requested login credentials. The website, created on August 28, 2018, is hosted in the Russian Federation and was accessed by the employee on or around September 3, 2018. The employee’s email account was breached on September 3. The website has since been marked as potentially malicious by Google.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Aspire Health has launched an internal investigation into the breach, is attempting to determine whether any of the forwarded PHI has been accessed and is trying to identify the individual responsible for the attack. Part of that process has involved filing a federal court motion to get Google to reveal more information about the hacker.

The email account to which the messages were forwarded is a Gmail account and Aspire Health believes that Google could provide vital information that could allow the hacker to be identified and also help to determine whether any of the forwarded messages have been opened. According to The Tennessean, Aspire Health made informal attempts to get Google to release information about the owner of the website and the subscriber to the email account but was advised that a subpoena would be required.

Should Aspire Health’s efforts prove successful, the attacker could be identified; however, bringing that individual to justice for the attack is likely to be a much more difficult task.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.