Phishing Attack on Aspire Health Resulted in PHI Theft

HIPAA’s Records Retention Requirements

Aspire Health is a Nashville, TN in-home services provider for patients diagnosed with critical illnesses. The company recently discovered an unauthorized person accessed the email account of one of Aspire Health’s employees following a successful phishing attack. After gaining access to the email account, the attacker sent 124 email messages to another email account. A number of the email messages included the protected health information (PHI) of patients as well as confidential and proprietary Aspire Health data.

An Aspire Health spokesperson issued a statement confirming breach notification letters have now been sent to patients affected by the breach; however, information has not been made public about the number of individuals affected by the breach. The Department of Health and Human Services’ Office for Civil Rights has not yet posted a breach summary on its breach portal.

The employee received an email that contained a link to a site that required login credentials to be entered. According to Aspire Health’s investigation, the web page was created on August 28, 2018 and was hosted in the Russian Federation. The employee is believed to have accessed the site on September 3, 2018 and the unauthorized individual accessed the account the same day. Google has now marked the website as potentially malicious, although it had not been classified as such at the time.

Aspire Health ordered an internal investigation of the breach to figure out if the stolen PHI has been viewed and is attempting to identify the person responsible for the attack. It was necessary to file a motion in federal court to get Google to disclose more information on the owner of the website and email account.

The attacker forwarded the messages to a Gmail account and so Aspire Health believes Google has access to information that can help identify the hacker and determine if the forwarded messages have been opened. As reported by The Tennessean, Aspire Health initially asked Google to supply information regarding the ownership of the site and the email account. But, Google informed Aspire Health that a subpoena would is necessary.