Protected Health Information Stolen in Aspire Health Phishing Attack

Share this article on:

Aspire Health, a Nashville, TN-based provider of in-home services for patients diagnosed with serious illnesses, has experienced a phishing attack that resulted in the email account of an employee being accessed by an unauthorized individual.

Once access to the email account was gained, the attacker forwarded 124 emails to an external email account. Several of the forwarded email messages contained the protected health information of patients and “confidential and proprietary information and files”.

According to a statement issued by a spokesperson for Aspire Health, breach notification letters have already been sent to a “small handful” of its patients, although the exact number affected by the breach has not been disclosed. The data breach has yet to appear on the Department of Health and Human Services’ Office for Civil Rights’ breach portal.

As is the case with many phishing scams, an email was sent to the employee which contained a hyperlink to a website which requested login credentials. The website, created on August 28, 2018, is hosted in the Russian Federation and was accessed by the employee on or around September 3, 2018. The employee’s email account was breached on September 3. The website has since been marked as potentially malicious by Google.

Aspire Health has launched an internal investigation into the breach, is attempting to determine whether any of the forwarded PHI has been accessed and is trying to identify the individual responsible for the attack. Part of that process has involved filing a federal court motion to get Google to reveal more information about the hacker.

The email account to which the messages were forwarded is a Gmail account and Aspire Health believes that Google could provide vital information that could allow the hacker to be identified and also help to determine whether any of the forwarded messages have been opened. According to The Tennessean, Aspire Health made informal attempts to get Google to release information about the owner of the website and the subscriber to the email account but was advised that a subpoena would be required.

Should Aspire Health’s efforts prove successful, the attacker could be identified; however, bringing that individual to justice for the attack is likely to be a much more difficult task.

Author: HIPAA Journal

Share This Post On