Aspire Rural Health System hit byransomware attack exposing 138,000 patient records
Learn More
Aspire Rural Health System, a healthcare provider in Michigan is reporting a data breach that exposed sensitive personal and medical information of 138,386 patients and staff members.
The breach occurred as a result of a ransomware attack claimed by the BianLian group, which maintained unauthorized access to Aspire's internal network systems for a two-month period from approximately November 4, 2024, through January 6, 2025.
The extended access period allowed cybercriminals time to systematically identify, access, and steal patient data from multiple systems and databases. Exposed data includes:
- Names
- Dates of birth
- Social Security numbers
- Financial account numbers and routing numbers
- Medical treatment and diagnosis information
- Prescription information
- Individual health insurance information
- Payment card numbers and access PIN numbers
- Payment card expiration dates
- Laboratory results and provider information
- Driver's license numbers
- Passwords and usernames
- Biometric identifiers
- Patient identification numbers
- Medical record numbers
- Passport numbers
Aspire completed its review of compromised data on July 18, 2025, and began mailing breach notification letters to affected patients and staff on August 20, 2025. The organization reported the incident to the Maine Attorney General's Office on August 21, 2025.
Aspire is offering 12 months of free credit monitoring and identity theft protection services to individuals whose Social Security numbers were exposed in the breach.
