Aspire Health, through its federal court record, has revealed that it was a victim of a nasty phishing attack through email that exposed patients’ records to unknown parties this September 2018. The Nashville-based medical-care firm which operates in 25 states in the U.S. has lost control of highly confidential 124 emails detailing patient information. The report has not disclosed more information about how, when and what branch of Aspire Health the phishing email started.
The healthcare provider issued a formal notification to its clients by directing them to call their hotline (615-346-8468). “Aspire takes the security of its data and the personal information of its patients very seriously. Aspire is now working through the legal process to determine if any Aspire information was ultimately accessed by a third-party,” said Cory Brown, Aspire Health’s Chief Compliance Officer.
In their own admittance, Aspire did everything they can to know the identity of the phisher. All they had is the IP Address of the threat actor and an obviously a throw-away email account that the person that spread the phishing email, [email protected]. Aspire Health had no choice but to publicly reveal the phishing attack, as a part of the federal court’s subpoena to Google, for the search giant to help in identifying the phisher through their Gmail account.
“The proposed subpoena to Google should provide information showing who has accessed and/or maintains the phishing website and the subscriber of the e-mail account that John Doe 1 used in the phishing attack. This information will likely allow Aspire to uncover and locate John Doe 1,” explained James Haltom, Aspire Health’s lawyer.
On his part, Matthew Gardiner, a cybersecurity researcher for Mimecast highlights the need for companies to be aware of phishing risks. “This attack on Aspire Health is a type of email phishing attack that happens all too often. While the ultimate goal of the attacker can vary, the technique of using spear-phishing to lure an unsuspecting person to a fraudulent log-in page to then steal their email login credentials and data that flows through that account, happens regularly. many solid defenses against this technique, including the use of multi-factor authentication, anti-phishing and email monitoring services, as well as focused user awareness training. Coupled together, these security controls can significantly reduce the risk of these types of attacks being successful,” he explained.
Another cybersecurity expert, Ryan Kalember of Proofpoint has concurred Gardiner’s opinion above, highlighting the need for the healthcare industry to have their employees know about the risks involved in using computers in their organization. “The Aspire Health breach is emblematic of the most common cyberattack method that continues to hit the healthcare sector, cybercriminals targeting people through the email channel to steal data and compromise accounts. Healthcare employees are especially vulnerable to email-based attacks due to the high volume of personal health information they access, their frequent email communication with patients, time constraints in acute care settings, and highly publicized ransoms being paid by healthcare organizations. Our research shows that attackers continue to target healthcare workers into opening unsafe email attachments and clicking on malicious links,” concluded Kalember.
