Alternate Solutions Health Network Data Breach: 93,589 Patient Records Compromised in Email Security Incident

On April 14, 2025, Alternate Solutions Health Network, LLC (ASHN), a prominent Ohio-based healthcare provider specializing in home health and hospice care, disclosed a major data security incident that compromised the personal information of 93,589 individuals across the United States. The breach, which involved unauthorized access to company email systems, has been reported to the U.S. Department of Health and Human Services' Office for Civil Rights and added to the HHS Wall of Shame.

What Happened

Alternate Solutions Health Network discovered that unauthorized individuals gained access to one of their email accounts, leading to a significant data breach. The incident was classified as a hacking/IT incident with the breach location specifically identified as email systems.

ASHN is a healthcare services company that provides home health programs in partnership with hospitals, making this breach particularly concerning given the sensitive nature of home healthcare services and the vulnerable patient populations typically served by such organizations.

The company has stated its commitment to protecting the privacy and security of personal information they maintain, and the breach appears to have been detected through their internal monitoring systems, though specific details about the discovery timeline remain limited.

Who Is Affected

The data breach impacts 93,589 individuals who received services from Alternate Solutions Health Network or had their information stored in the compromised email systems. Given ASHN's role as a home health and hospice care provider, the affected individuals likely include:

• Current and former home health patients
• Hospice care recipients and their families
• Patients referred through hospital partnerships
• Healthcare workers and staff members
• Family members and emergency contacts

The breach affects individuals across multiple states, though ASHN is based in Ohio and likely serves patients throughout the region and beyond through their hospital partnership programs.

Breach Details

While specific technical details about the breach method remain limited, the incident has been classified as a hacking/IT incident targeting email systems. This type of breach typically involves:

• Unauthorized access to email accounts through compromised credentials
• Potential malware or phishing attacks targeting staff members
• Possible business email compromise (BEC) schemes
• Exploitation of email security vulnerabilities

The breach was reported to the HHS Office for Civil Rights on April 14, 2025, meeting the required 60-day reporting deadline under HIPAA regulations. The fact that nearly 94,000 individuals were affected suggests that the compromised email account(s) contained substantial amounts of patient information or had access to databases containing patient records.

Email-based breaches in healthcare are particularly concerning because email systems often contain:

• Patient medical records and treatment information
• Insurance and billing information
• Personal identifying information including Social Security numbers
• Communication between healthcare providers about patient care
• Scheduling and appointment information

What This Means for Patients

For the 93,589 individuals affected by this breach, the compromise of their personal information creates several immediate and long-term risks:

Identity Theft Risk: Depending on the types of information accessed, patients may face increased risk of identity theft, particularly if Social Security numbers, dates of birth, and addresses were compromised.

Medical Identity Theft: Healthcare information can be used to fraudulently obtain medical services, prescription drugs, or file false insurance claims, potentially affecting patients' medical records and insurance coverage.

Financial Fraud: If payment information or insurance details were accessed, patients could face unauthorized charges or insurance fraud.

Privacy Concerns: The exposure of sensitive medical information, particularly for hospice patients and their families, represents a significant invasion of privacy during already difficult times.

Patients should remain vigilant for signs of identity theft or fraud and monitor their credit reports, insurance statements, and medical records for any suspicious activity.

How to Protect Yourself

If you are among the individuals affected by the Alternate Solutions Health Network breach, take these immediate steps to protect yourself:

Monitor Financial Accounts: Check bank statements, credit card statements, and insurance explanations of benefits for unauthorized charges or suspicious activity.

Review Credit Reports: Obtain free credit reports from all three major credit bureaus (Equifax, Experian, and TransUnion) and review them for new accounts or inquiries you didn't authorize.

Consider Credit Monitoring: While ASHN has not announced whether they will provide credit monitoring services, consider enrolling in credit monitoring or placing a fraud alert on your credit file.

Watch for Phishing: Be cautious of unexpected emails, phone calls, or texts requesting personal information, especially those claiming to be related to the breach.

Monitor Medical Records: Review explanation of benefits statements from your insurance company and medical records for services you didn't receive.

Document Everything: Keep records of all communications related to the breach and any steps you take to protect yourself.

Prevention Lessons for Healthcare Providers

The Alternate Solutions Health Network breach highlights critical cybersecurity challenges facing healthcare organizations, particularly those providing home health and hospice services. In response to this incident, ASHN has announced plans to implement additional cybersecurity safeguards, enhance employee cybersecurity training, and improve cybersecurity policies, procedures, and protocols.

Email Security Best Practices include:

• Implementing multi-factor authentication for all email accounts
• Regular security awareness training for staff
• Advanced threat protection and email filtering systems
• Regular security assessments and penetration testing
• Encryption of sensitive data in transit and at rest

HIPAA Compliance Considerations require healthcare providers to:

• Conduct regular risk assessments
• Implement appropriate administrative, physical, and technical safeguards
• Train workforce members on security policies and procedures
• Monitor and audit access to protected health information
• Have incident response plans in place

This breach serves as a reminder that cybersecurity is not a one-time implementation but an ongoing process that requires continuous attention, updates, and improvement. Healthcare organizations must balance accessibility of patient information for care purposes with robust security measures to protect against unauthorized access.

The healthcare industry continues to be a prime target for cybercriminals due to the valuable nature of medical information and the critical need for immediate access to patient data. Organizations like ASHN must invest in comprehensive cybersecurity programs that address both technical vulnerabilities and human factors that can lead to security incidents.

Protect your practice with AI-powered HIPAA compliance. Get started with HIPAA Agent.