Hack of Michigan health system exposes patients’ lab results

Cybercriminals penetrated Aspire Rural Health Systems’ network and infected it for months. The exposed patient details range from payment card details to medical records, with over 100,000 individuals impacted.

The data breach notice revealed that the Michigan-based health system suffered a data breach in November of last year, likely detecting it only in early January of this year. As is customary in such cases, Aspire sought help from cybersecurity pros, conducting an investigation into the data breach.

Information that Aspire provided to the Maine Attorney General’s Office revealed that nearly 140,000 individuals were exposed in the attack. Meanwhile, the data breach notice the company put on its website indicates that attackers may have accessed a comprehensive set of sensitive patient data, including:

• Names and surnames
• Dates of birth
• Social Security numbers
• Financial account numbers
• Medical treatment and diagnosis information
• Prescription information
• Individual health insurance information
• Payment card numbers and access PIN numbers
• Payment card expiration dates
• Lab results
• Driver’s license numbers
• Passwords and usernames
• Biometric identifiers
• Patient IDs
• Medical record numbers
• Passport numbers

Aspire stressed that, so far, there’s no indication that the data was exploited in any way and that the types of exposed data vary from individual to individual.

However, based on the list of exposed data, attackers may have accessed a very detailed and comprehensive list of personal, financial, and medical data. At least in theory, attackers could leverage the exposed dataset in multiple harmful ways.

Most obviously, cybercrooks could exploit the details for identity theft. There are more than enough details to successfully impersonate a person while attempting to remotely set up an account somewhere. Attackers could also attempt phishing attacks as they could craft a convincing message that includes, for example, patients’ diagnoses. Typically, attackers try to coax victims into revealing even more sensitive details or install malware.

What makes the data breach worse is the presence of financial identifiers. Not only can attackers set up fraudulent accounts, but they also know victims’ payment card details, which can be used to siphon funds from people whose details were impacted by the data breach. Individuals impacted by the Aspire attack should be vigilant about any suspicious behaviour on their financial accounts.

Leaked medical details present Aspire’s patients with another set of potential problems. Medical details are highly valued among cybercriminals as they enable medical identity theft. In such cases, attackers can submit fraudulent insurance claims or acquire prescription drugs, which are later sold on the dark web.

More devious attackers may even attempt to exploit leaked medical condition data to blackmail individuals who’d rather have their medical details kept private.

To help individuals mitigate potential risks, Aspire said it will provide impacted patients with complimentary identity protection and credit monitoring services.

“Please accept our apologies that this incident occurred. Aspire is committed to maintaining the privacy of personal information in our possession and has taken many precautions to safeguard it,” reads Aspire’s breach notification letter.