You are currently viewing Hacker Steals 124 PHI-Laden Emails in Aspire Phishing Attack

Hacker Steals 124 PHI-Laden Emails in Aspire Phishing Attack

Do you need a secure place to share files with your colleagues and clients without risking privacy?

Enjoy the secure storage and sharing service for your and your clients files: SkyFlok

SkyFlok encrypts and distributes your information across multiple locations and providers, meaning an attacker needs to compromise multiple Cloud providers before having any chance to look at your files.

Join us!

September 27, 2018 – Aspire Health, a Nashville-based in-home healthcare provider, suffered a phishing attack on Sept. 3 in which a hacker gained access to its internal email system earlier this month, according to court documents cited by

The attacker apparently forwarded 124 emails containing PHI and other confidential information to an external email account.

It was not clear how many patients were affected or what type of PHI was accessed.

“Aspire recently learned one of its employees was the victim of an international phishing attack. Aspire’s information security team quickly discovered the attack and immediately took action to lock the employee’s account. Aspire is now working through the legal process to determine if any Aspire information was ultimately accessed by a third-party. Out of an abundance of caution, Aspire has already alerted the small handful of customers who may have been impacted by this event,” Aspire said in a statement quoted by WSMV TV News4.

The phishing attack originated from a website with an Eastern European IP address for which Google is the registrar. The hacked emails were also forwarded to a Google email address.

The court documents related to a motion filed by Aspire asking the court to subpoena Google about information on the hacker, who is only identified as John Doe 1. Aspire originally sought the information informally, but was told by Google it had to get a subpoena, the report explained.

“The proposed subpoena to Google should provide information showing who has accessed and/or maintains the phishing website and the subscriber of the e-mail account that John Doe 1 used in the phishing attack,” argued Aspire attorney James Haltom in the court documents. “This information will likely allow Aspire to uncover and locate John Doe 1.”

Commenting on the Aspire breach, Mimecast Cybersecurity Strategist Matthew Gardner said: “This attack on Aspire Health is a type of email phishing attack that happens all too often. While the ultimate goal of the attacker can vary, the technique of using spearphishing to lure an unsuspecting person to a fraudulent log-in page to then steal their email login credentials and data that flows through that account happens regularly.”

Proofpoint SVP of Cybersecurity Strategy Ryan Kalember observed: “The Aspire Health breach is emblematic of the most common cyberattack method that continues to hit the healthcare sector, cybercriminals targeting people through the email channel to steal data and compromise accounts.”

“Healthcare employees are especially vulnerable to email-based attacks due to the high volume of personal health information they access, their frequent email communication with patients, time constraints in acute care settings, and highly publicized ransoms being paid by healthcare organizations. Our research shows that attackers continue to target healthcare workers into opening unsafe email attachments and clicking on malicious links,” Kalember said.

PASCO Says PHI of 1,839 Patients At Risk from Phishing Attack

Personal Assistance Services of Colorado (PASCO), a provider of home and community-based health services, reported to OCR on Sept. 20 that it suffered an email breached that affected 1,839 individuals.

In a Sept. 20 press release, PASCO said it was the target of a phishing email scam that compromised an employee’s email account.

PASCO said it discovered on July 24 suspicious emails sent to several employees. It launched an investigation and discovered that the organization was the victim of an email phishing campaign beginning on or around the middle of July 2018.

A probe by a third-party forensic investigator determined Aug. 13 that one employee email account was accessed without authorization.

Information that might have been exposed included patient address, date of birth, provider’s name, and Medicaid number.

PASCO said it is providing complimentary identity theft monitoring services to those affected by the breach.

Claxton-Hepburn Employees ‘Inappropriately’ Accessed Medical Records

New York-based Claxton-Hepburn Medical Center said Sept. 26 that it discovered breaches of PHI during a recent internal investigation, reported.

The employees who accessed medical records “inappropriately” have been fired, the report noted.

“During a recent internal investigation, breaches of patient information were discovered. The employees involved have been subject to disciplinary action. All patients involved in the breach have been notified via registered mail,” CHMC spokeswoman Laura Shea said in a statement.

She declined to provide the number of patients affected by the breach or the number of employees involved.

Shea said the hospital has enacted additional safeguards to reduce the likelihood of future breaches, the report noted.


Or go back to

Daniel Lucani

PhD at MIT. Author of 8 patents and applications on network coding. Tech expert 12+ years experience.