Nashville, Tenn.-based Aspire Health lost some patient information to an unknown cyberattacker who gained access to its internal email system in September, federal court records filed Sept. 25 and reviewed by The Tennessean show.
After the hacker broke into Aspire's email systems using email phishing tactics on Sept. 3, they forwarded 124 emails to an external email account. Those emails contained "confidential and proprietary information and files" and "protected health information," according to the court records.
No additional details regarding about the contents of the hacked emails have been made public, and it's unclear how many patients were affected. However, in a prepared statement obtained by The Tennessean, Aspire said it alerted a "small handful" of patients who "may have been impacted."
An Aspire spokesperson told the publication the outpatient palliative care company immediately locked the compromised email account after discovering the attack.
The phishing attack originated from a website with an Eastern European IP address that lists Google as the registrar. Google flagged the website as "deceptive," and the site now warns visitors that they may be tricked into sharing their personal information. Aspire sought voluntary help from Google to identify the hacker, but Google refused and told Aspire it would need a subpoena.
On Sept. 25, Aspire filed a motion in a federal court motion to subpoena Google for more information on the unknown hacker, referred to as John Doe 1 in the court documents.
"The proposed subpoena to Google should provide information showing who has accessed and/or maintains the phishing website and the subscriber of the email account that John Doe 1 used in the phishing attack," Aspire attorney James Haltom wrote. "This information will likely allow Aspire to uncover and locate John Doe 1."
Aspire, which operates in 25 states and the District of Columbia, is a home healthcare business that connects patients with palliative care physicians.