Cyber Incident Victim: Aesto Health

Aesto Health experienced a data security incident impacting its internal IT systems, first detected on March 8, 2022, when the company observed disruptions in its IT operations. The investigation confirmed on March 22 that patient information was involved, tracing unauthorized access to its systems between December 25, 2020, and March 8, 2022. During this period, an attacker copied files from a backup storage device containing radiology reports for Osceola Medical Center (OMC) patients, for whom Aesto Health served as a business associate. The compromised records included patient names, dates of birth, radiology report findings, and associated physician names. Aesto Health clarified that OMC’s own data systems and medical records remained secure and were not directly accessed during the breach. The incident affected 17,400 OMC patients, with notification letters mailed starting May 20, 2022.

Aesto Health’s response emphasized containment and transparency, stating no further patient action was required due to the nature of the exposed data. The company did not disclose specific technical remediation steps but affirmed it took the incident seriously and regretted any patient concerns. Law enforcement involvement was not mentioned in available reports, nor were details provided about whether ransomware or extortion attempts accompanied the data exfiltration. The breach timeline overlapped with a separate cyber event at Aon PLC, though no connection between the incidents was indicated. OMC’s operations and patient care systems remained unaffected, as the compromise was isolated to Aesto Health’s backup storage infrastructure. No misuse of the copied radiology data was confirmed at the time of reporting.