Health Care Company Alerts Customers of 2024 Breach Months Later, Law Firm Alleges
A Michigan-based health system with more than 70 providers suffered a data breach last year that exposed personal information of almost 140,000 individuals, a law firm said Monday. Two states also recently reported the breach of Aspire Rural Health System. The company may have violated state and federal laws by disclosing the breach well after it occurred.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
“Although the breach began in November 2024, Aspire Health did not begin notifying affected individuals until on or around August 20, 2025,” which possibly was a violation, law firm Schubert Jonckheer said in a press release. It's investigating the breach on behalf of potential victims.
Data exposed may include Social Security numbers, financial account numbers and routing numbers, medical treatment and diagnosis information, individual health insurance information, payment card numbers and access PIN numbers, lab results, provider information, biometric identifiers, patient identification numbers and medical record numbers, Schubert Jonckheer said.
A notice on the Aspire site, published Aug. 20, informs visitors of the breach. It said that the company “learned that an unauthorized party gained access to Aspire’s internal network from on or about November 4, 2024, to on or about January 6, 2025.” Upon discovery, “Aspire immediately worked to contain the incident and launched a thorough investigation,” and “engaged leading outside cybersecurity professionals to secure the environment and to identify the scope of what personal information, if any, was involved.”
Aspire said it determined on July 18 what was leaked “after an extensive forensic investigation [and] manual document review exercise.” It didn't divulge the number of people impacted. It's the same material that Schubert Jonckheer said was exposed.
Aspire said written notification letters to those impacted were mailed on Aug. 20, though the health system “has no evidence of financial fraud or identity theft directly related to this incident.”
The Maine attorney general's office reported the breach Thursday, saying that four Maine residents were affected, and attached a sample notification letter. The letter noted Aspire was offering a complimentary membership for credit monitoring, though the number of months free offered is redacted. The Texas OAG also reported the breach Friday, and said that 477 Texans were affected.