Cyber Incident Victim: AspenPointe
Date:
Sep 2020
Location:
United States of America
Summary
A Colorado mental health services provider experienced a cyberattack in September that disrupted most operations for several days. The breach involved unauthorized access and exfiltration of sensitive personal data, including full names combined with dates of birth, Social Security numbers, driver’s license details, or bank account information affecting hundreds of thousands of individuals. Following an investigation concluding in early November, the organization notified approximately 295,000 clients and employees, offering credit monitoring services despite no confirmed identity fraud linked to the incident at the time. The provider also reported the breach to federal health authorities and established a dedicated response line for affected individuals.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In late September 2020, AspenPointe, a Colorado-based provider of mental health, substance abuse, and behavioral services, experienced a severe cyberattack that disrupted its technological infrastructure. The attack forced the organization to shut down the majority of its operations for several days, significantly impacting service delivery. AspenPointe immediately initiated an investigation into the incident’s origins by engaging external cybersecurity professionals specializing in breach analysis. The investigation, which concluded on November 10, 2020, confirmed that attackers had exfiltrated sensitive personal information from the network. Compromised data included individuals’ full names combined with at least one of the following elements: dates of birth, Social Security numbers, driver’s license numbers, or bank account information. While the attack occurred in September, AspenPointe did not publicly disclose the full scope of the breach until after completing its forensic review in November. The organization acknowledged the incident’s severity by halting operations but did not specify the exact attack vector or identity of the threat actors involved in its public communications.
AspenPointe began notifying affected employees and clients via a website notice and mailed letters starting in late November 2020. The notification emphasized that no identity fraud or misuse of stolen data had been detected as a direct result of the breach at the time of disclosure. As a precautionary measure, the organization offered a one-year membership in a credit monitoring service to impacted individuals and established a dedicated toll-free response line (833-920-3180) staffed by professionals familiar with the incident. This line operated during Central Time business hours to address questions about data protection steps. AspenPointe directed employees to refer client inquiries to the provided phone number and clarified that clients would receive identical support resources. On November 19, 2020, AspenPointe reported the incident to the U.S. Department of Health and Human Services (HHS), disclosing that 295,617 patients were affected. The breach notification process prioritized transparency about compromised data categories but did not elaborate on technical containment measures or system restoration timelines beyond the initial multi-day shutdown period.