The Texas-based healthcare services recently announced a data breach after a ransomware gang targeted the company.
What happened
On November 18th, 2024, Aspen Healthcare Services filed a notice of a data breach with the Attorney General of Texas. The company is known for serving the Dallas-Fort Worth area, providing home health, private duty, hospice, palliative care, respiratory care, and more.
According to a post from Aspen Healthcare, the health service provider experienced an attempted ransomware attack on October 22nd, 2024. The attack was against Aspen Healthcare’s medical records system and was discovered on October 23rd.
The company said that upon discovery they “immediately took swift action to secure our systems and prevent further unauthorized access.” Aspen Healthcare is now reaching out to patients who may have been impacted.
Going deeper
Aspen Healthcare also notified state and federal authorities before launching an investigation into the incident.
The investigation included a review of the accessed files and determined that accessed information included patient names, dates of birth, addresses, insurance IDs, health records, and Social Security numbers. The company noted that no financial accounts were impacted.
Currently, it’s unclear how many individuals were impacted by the breach or if information has been used maliciously. Aspen Healthcare is offering complimentary credit monitoring to impacted patients. Patients can also receive assistance for placing a “fraud alert” on credit accounts.
In their notice, Aspen Healthcare said it “remains dedicated to protecting your information.”
Why it matters
Data breaches like these can disrupt operations, which can directly impact care. Considering healthcare is often instrumental in saving lives, ransomware incidents can cause significant harm to patients.
In this case, it’s unclear how the ransomware incident occurred or what gang may have been involved. So far, Aspen Healthcare has not released any information on whether they paid a ransom or retrieved the data. Organizations should never pay ransoms, as it can make them more likely to be targeted in the future.
As a result of the breach, Aspen Healthcare may face a class action lawsuit from impacted patients or a fine from the Office of Civil Rights, depending on how many individuals were impacted.
The big picture
Breaches like these can be devastating for a growing company. In the past, they have even resulted in organizations going into bankruptcy.
Yet the majority of data breaches can be prevented. Often, these crimes are based on opportunities, when malicious organizations are able to find a network that has not been protected fully. With the right security systems in place, these breaches can be prevented before the actors can access data.
Related: HIPAA Compliant Email: The Definitive Guide
Abby Grifno
