Exploit: Unauthorized Database Access
AspenPointe: Healthcare Non-Profit
Risk to Small Business: 1.613 = Severe AspenPointe has disclosed a large data breach that exposed personally identifying information (PII) of patients working with non-profit organizations that it manages including participants in its mental health and substance misuse programs. The unauthorized access took place in early September 2020 and it’s unclear how much data was stolen. AspenPointe is a nonprofit funded by Medicaid, state, federal, and local government contracts, as well as donations, that manages 12 organizations providing care and counseling in Colorado.
Individual Risk: 1.820 = Severe Patients may have had extensive personal and private information exposed including PPI like their date of birth, Social Security number, Medicaid ID number, date of the last visit (if any), admission date, discharge date, and/or diagnosis code. AspenPointe is providing those affected by the data breach IDX identity theft protection services including “12 months of credit and CyberScan monitoring, a $1,000,000 insurance reimbursement policy, and fully managed identity theft recovery services.”
Customers Impacted: 295,617
How it Could Affect Your Customers’ Business: Data breaches at any business are bad news, but at a business like this, it’s a nightmare. Not only will AspenPointe have to deal with the corporate fallout, but regulators are also going to come calling with fines as well, making this incident extra expensive.
1 - 1.5 = Extreme Risk
1.51 - 2.49 = Severe Risk
2.5 - 3 = Moderate Risk
*The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.