AspenPointe Inc., a mental health and substance abuse provider, suffered a cyberattack that allowed unauthorized access to their network. Details regarding the mental health services breach are discussed.

Mental Health Services Breach: What Happened

In late September, AspenPointe discovered a cyberattack on their network that forced them to close most of their operations for several days. An investigation, concluding on November 10, 2020, uncovered that the unauthorized access occurred from September 12 through September 22.

Mental Health Services Breach

The mental health services breach allowed hackers to exfiltrate data from AspenPointe’s network. Data exposed in the incident included the protected health information (PHI) of 295,617 patients. Compromised PHI varied by patient but included patient names, dates of birth, Social Security numbers, Medicaid ID numbers, dates of last visit, admission dates, discharge dates, and/or diagnosis codes.

In addition to accessing patient data, hackers were able to access ApenPointe’s employee data. Employee data compromised in the incident included employee names, dates of birth, Social Security numbers, driver’s license numbers, and/or bank account information.

Let’s Simplify Compliance

Cybersecurity and HIPAA compliance go hand-in-hand. Protect yourself from breaches by becoming HIPAA compliant today!

Learn More!
HIPAA Seal of Compliance

A notification sent out to patients and employees states, “To date, we are not aware of any reports of identity fraud or improper use of your information as a direct result of this incident. Nevertheless, out of an abundance of caution, we wanted to make you aware of the incident, explain the services we are making available to help safeguard you against identity fraud, and suggest steps that you should take as well.”

To protect individuals exposed in the mental health services breach, AspenPointe is offering affected individuals 12 months of complementary credit monitoring services, $1,000,000 insurance reimbursement policy, and fully managed identity theft recovery. AspenPointe states, “Please accept our apologies that this incident occurred. We are committed to maintaining the privacy of personal information in our possession and have taken precautions to safeguard it. We continually evaluate and modify our practices and internal controls to enhance the security and privacy of your personal information.”

Since discovery of the incident, AspenPointe has increased their security by forcing password changes, implementing additional endpoint protection, increasing monitoring, and implementing firewall changes.