Nonprofit U.S. healthcare provider AspenPointe has said it suffered a major data breach in September that resulted in the loss of the personal and medical information of 295,617 patients.
In a letter written to affected patients on 19th November, AspenPointe said it recently discovered that hackers gained access to the organisation's internal network and between 12th and 22nd September this year, stole large amounts of data that included patients' personal and healthcare information.
"Based on our comprehensive investigation and document review, which concluded on November 10, 2020, we discovered that your full name and one or more of the following were removed from our network in connection with this incident: date of birth, Social Security number, Medicaid ID number, date of last visit (if any), admission date, discharge date, and/or diagnosis code," the healthcare nonprofit wrote.
Funded by federal and state governments and a recipient of a large number of donations, AspenPointe offers a range of healthcare services that include counseling and therapy, substance use treatment, mental health services, crisis services, and school-based services.
While admitting that the data has been irretrievably lost to hackers, AspenPointe said it is not aware of any reports of hackers using the stolen data to carry out identity fraud or any other illegal activity. The organisation is now offering affected patients complimentary identity theft protection services which includes 12 months of credit and CyberScan monitoring, a $1,000,000 insurance reimbursement policy, and fully managed identity theft recovery services.
In its report to the U.S. Department of Health and Human Services (HHS) on 19th November, AspenPointe said the network server breach resulted in the theft of personal and healthcare information of approximately 295,617 patients.
Commenting on the data breach suffered by AspenPointe, Robert Meyers, channel solutions architect and fellow of information privacy at One Identity, says that managing access rights with the least privilege model and using a privileged account management (PAM) system would likely have stopped this breach from happening.
"Remember, you can only leak information that you have access to. If you do not have access to information, you cannot leak it. Therefore, the cause of this breach was that certain users were granted too much access. Hopefully, AspenPointe will have already revised its access privileges and implemented a new PAM system. And, hopefully, others will take note.
"We are just at the start of what can be expected to be a large number of data breaches that will be identified. Security has simply not been a focus during the pandemic, simple enablement took its place. It's time for security to move back to the forefront of organisations' priorities so that breaches like this do not happen," he adds.