Aspire Health, a Nashville-based in-home healthcare provider, was hacked Sept. 3 as a result of a phishing attack and “lost” some protected health information (PHI), according to a report by the Tennessean.com.
The hack was disclosed for the first time in federal court records filed on Tuesday, according to the media report. The company suffered a phishing attack on Sept. 3 which gained access to Aspires internal email system. The Tennessean article cites information in the court records that indicates the hacker then forwarded 124 emails to an external email account, including emails that contained “confidential and proprietary information and files” and “protected health information.”
“No other information about the contents of the hacked emails have been made public, so it is unclear how many patients have been exposed and what kind of information was leaked. Aspire has issued a statement saying it has already alerted a ‘small handful’ of patients who ‘may have been impacted’ by the email breach,” the article stated.
According to an email sent to the Tennessean from Cory Brown, a chief compliance officer for Aspire, the company immediately locked the compromised email account after discovering the phishing attack.
Brown added that it is unknown if the stolen emails were actually opened by the hacker.
In a statement to the local News4 station about the cyber attack, Aspire Health said: “Aspire takes the security of its data and the personal information of its patients very seriously. Aspire recently learned one of its employees was the victim of an international phishing attack. Aspire’s information security team quickly discovered the attack and immediately took action to lock the employee’s account. Aspire is now working through the legal process to determine if any Aspire information was ultimately accessed by a third-party. Out of an abundance of caution, Aspire has already alerted the small handful of customers who may have been impacted by this event.”
According to the article, Aspire Health was founded in 2013 by former Sen. Bill Frist and current CEO Brad Smith. The company offers house-call physicians offering palliative care for advanced cancer and other serious illnesses.
“In the court records filed on Tuesday, Aspire has said it has tried to identify the hacker but so far has been unable to do so. The phishing attack originated from a website with an IP address in Eastern Europe for which Google is the registrar,” the article stated.
Court records detail Aspire Health's effort to subpoena Google and identify the hacker, according to media reports. The hacking attack was revealed Tuesday as Aspire filed a federal court motion seeking to subpoena Google for more information on the unknown hacker. Aspire attorney James Haltom said in the court motion that Google’s internal records should be able to identify the culprit – currently known only as John Doe 1, the Tennessean reported.
Haltom wrote in court records that Aspire has requested the information from Google “informally,” but Google said Aspire would need to get a subpoena, the article stated.
“The proposed subpoena to Google should provide information showing who has accessed and/or maintains the phishing website and the subscriber of the e-mail account that John Doe 1 used in the phishing attack,” Haltom wrote. “This information will likely allow Aspire to uncover and locate John Doe 1.”