AspenPointe, based in Colorado Springs has revealed that it was impacted by a cyberattack during September 2020 which lead to patient information being accessible.
The mental health and behavioral health services provider was put in a position where is had to make its systems inaccessible. This result in the majority of its operations being impacted for a number of days while the attack was addressed.
A firm of external cybersecurity specialists were hired to help out with with the investigation and recovery attempts to ascertain the extent to which patient information may have been compromised. An investigation showed the files that may have been accessed by hackers on November 10, 2020 that patient information had potentially been accessed or stolen.
The files on the impacted systems included patient names and one or more of the following data elements: date of birth, driver’s license number, bank account information, Medicaid ID number, admission/discharge dates, diagnosis code, date of last visit, and/or Social Security information.
After the discovery of the data privacy breach, a password reset was carried out. Cybersecurity has since been made better with more endpoint protection technology, changes to the firewall, and other measures and network monitoring has been put in a better position.
Official notification letters are now being issued to every individual that may have been impact as part of the breach and a one-year free membership to IDX credit monitoring services is being given to breach victims. Breach victims are also safeguarded by a $1 million identity theft insurance policy and will have access to identity theft recovery services should they be deemed necessary.
AspenPointe described in its substitute breach notice that there have been, as of yet, no reported cases of identity theft, fraud, or improper use of patient information and no evidence was found to indicate any patient data was actually stolen by the cybercriminals.
The breach report filed to the Department of Health and Human Services’ Office for Civil Rights (OCR) also says that the protected health information of 295,617 patients was potentially compromised in the hacking incident.