Cyber Incident Victim: Aspire Health

On September 3, 2018, Aspire Health, a Nashville-based healthcare company providing in-home treatment across 25 U.S. states, experienced a cybersecurity breach initiated by a phishing attack. The phishing scheme successfully compromised Aspire’s internal email system, granting the attacker unauthorized access. Following this intrusion, the threat actor forwarded 124 internal emails to an external email account under their control. These emails contained confidential and proprietary business information alongside protected health information (PHI) belonging to patients. The breach remained undisclosed publicly until court records filed on September 25, 2018, revealed the incident, though the exact timeline of detection and internal response was not detailed in available records. The attacker’s identity and motives were not disclosed, and no evidence suggested broader network infiltration beyond the email compromise.

The exfiltrated data included sensitive patient health information governed by HIPAA regulations, though the specific number of affected individuals or types of PHI (e.g., medical records, identifiers) were not enumerated in court filings. Aspire Health’s disclosure emphasized the loss of both corporate data and patient information, indicating operational and compliance impacts. The company pursued legal action to address the breach, as evidenced by the federal court records, though no technical remediation steps (e.g., system hardening, phishing training) or patient notification processes were publicly described. The incident highlighted risks associated with email-based attacks targeting healthcare providers handling sensitive data across multiple jurisdictions. No additional consequences, such as regulatory penalties or secondary attacks linked to the breach, were reported in the available source material.