A recent update to HHS’s public breach tool includes an incident affecting patients of Indian Territory Home Health and Hospice (“Aspire Home Health and Hospice”). From a statement on their web site:
On August 10, 2015, Indian Territory Home Health and Hospice, LLC, DBA “Aspire Home Care and Hospice” learned that it was the target of a cybersecurity attack. The attack affected its systems and data and may have exposed some of its patients’ personal information, such as patients’ names, dates of birth, addresses, telephone numbers, Social Security numbers, insurance information, prescription information, patient identification/medical record numbers and certain medical/clinical information. However, the data potentially exposed did not include any financial information, such as credit or debit card information.
As soon as Aspire became aware of the incident (which occurred in late-July 2015/early-August 2015), it performed a thorough investigation to determine the scope of the issue and the impact on its patients. Aspire immediately disabled certain accounts, implemented password resets for identified targeted users and performed a security assessment. In the aftermath of this incident, Aspire will continue to review its systems and improve the security of the information it maintains by implementing, for example, additional audit and surveillance technology to detect unauthorized intrusions.
We are providing notice to patients whose personal information may have been exposed and offering them identity monitoring at no cost for one year. We have also notified the Secretary of the United States Department of Health and Human Services regarding this incident. We deeply regret this incident occurred and any inconvenience it may cause our patients and/or their family members.
If you have any questions or would like to speak to someone regarding this incident, feel free to contact our Vice President of Compliance, Jenni Massengill, at 1-580-341-9226 or 888-285-5162.
Although the substitute notice does not provide details as to how the attack occurred, their report to HHS coded this as an incident in which the data were located in email, suggesting that this may have been a phishing attack. In two reports filed with HHS, the number affected was first listed as 4,278; a later report indicated 4,500.