Hackers inside hospital network for two months expose 140K people
A Michigan-based health system has confirmed it was the victim of a data breach that likely exposed protected health information on nearly 140,000 people.
Aspire Rural Health System, which operates more than 70 facilities throughout the state, including three hospitals, said cybercriminals gained access to its network for more than two months, between Nov. 4, 2024 and Jan. 6, 2025, before the invasion was finally discovered.
In mid-February, a ransomware group called BianLian claimed credit for the breach, posting a trove for sale on the dark web said to contain records on patients, including names and procedure details, along with internal emails and documents that could be used to identify employees.
Aspire said its investigation into the incident was completed in July, and it found that files accessed or taken contained personal information, including dates of birth and Social Security numbers. The health system also confirmed that medical records were compromised, including patient IDs, details on diagnoses and treatments, along with insurance and financial information.
However, it said, data stored in its Epic EHR was not compromised.
HIPAA notifications sent
To date, Aspire said it has no evidence any of the stolen information has been used to steal identities or commit other crimes. It also notified everyone who has been impacted, offering them credit monitoring services, as is required by the Health Insurance Portability and Accountability Act (HIPAA).
According to Security Week, BianLian has not been active since March. What happened to the data trove from Aspire remains a mystery.
In total, the Maine Attorney General’s Office reports that 138,386 people were victims of the breach.
Chad is an award-winning writer and editor with over 15 years of experience working in media. He has a decade-long professional background in healthcare, working as a writer and in public relations.