Colorado healthcare provider reports breach affecting more than 295,000 individuals

AspenPointe Inc., a Colorado-based mental health and behavioral healthcare provider, reported a breach on November 19 affecting 295,617 individuals, according to the Office for Civil Rights (OCR) breach report.

In a security notice posted on its website, AspenPointe said it experienced a cyberattack in the latter part of September. The attack caused AspenPointe to shut down operations for several days. The company recruited third-party cybersecurity professionals to assist with the investigation, which concluded that patients’ full names and one or more of the following were removed from AspenPointe’s network in connection with the incident:

• Bank account information
• Date of birth
• Driver’s license number
• Social Security number

AspenPointe is not aware of any reports of identity fraud or improper use of this information, according to the security notice. The organization said it will assist affected individuals with certain resources, including a one-year membership to a credit monitoring solution. AspenPointe also set up a toll-free response line that is staffed with professionals who are familiar with the incident.

Since the breach, AspenPointe has forced password changes, implemented additional endpoint protection, increased monitoring, and implemented firewall changes, according to the security notice.