Aspire Rural Health reports data breach impacting nearly 140,000 patients

Aspire Rural Health, a Michigan-based provider serving patients across Huron, Sanilac, Tuscola, and Lapeer counties, is notifying nearly 140,000 individuals that their personal and medical data was exposed in a cyberattack.

The organization said it detected suspicious activity on January 6, 2025, and brought in third-party cybersecurity experts to investigate. Forensic findings revealed that an unauthorized party had access to Aspire’s network for more than two months, from November 4, 2024, to January 6, 2025.

According to a breach notice posted on its website, patient files containing protected health information were accessed and in some cases stolen. Compromised data varied widely and could include names, dates of birth, Social Security numbers, financial and payment card details, medical diagnoses, treatment and prescription records, lab results, insurance information, driver’s license and passport numbers, login credentials, biometric identifiers, and patient or medical record numbers.

Aspire said it is not aware of any misuse of the stolen data but is offering complimentary credit monitoring and identity theft protection services to patients whose Social Security numbers were involved. A filing with the Maine Attorney General lists 138,386 affected individuals, including four Maine residents.

While the breach has not yet appeared on the U.S. Department of Health and Human Services’ breach portal, the BianLian ransomware group has claimed responsibility and listed Aspire on its dark web leak site.