Aspire Health is facing legal investigation after a data breach exposed over 138,000 patient records, raising questions about delayed disclosure and compliance.
 |
| A massive breach at Aspire Health exposed sensitive patient data. Legal experts cite delayed disclosure and potential violations of privacy law. Symbolic Image |
San Francisco, United States – August 26, 2025:
Aspire Rural Health System is under legal scrutiny following a significant data breach that compromised the sensitive personal and medical data of 138,386 patients. The breach affected a network of over 70 providers under Aspire Health, a Michigan-based system that includes Deckerville Community Hospital, Hills & Dales Healthcare, Marlette Regional Hospital, and The Heartlands Senior Living.
San Francisco law firm Schubert Jonckheer & Kolbe LLP has opened an investigation into the incident, citing potential violations of state and federal privacy laws. Aspire Health discovered the breach on July 18, 2025, but it had allowed unauthorized access to its systems from November 4, 2024, to January 6, 2025. Despite knowing the scope of the intrusion, Aspire only began notifying patients on or around August 20, 2025—over a month after the breach was discovered and several months after it ended.
The data breach involved highly sensitive information, including names, dates of birth, Social Security numbers, financial account details, health insurance information, medical diagnoses and treatments, prescription data, payment card details, lab results, biometric identifiers, provider information, driver’s license and passport numbers, usernames and passwords, as well as medical record and patient identification numbers.
Legal experts have expressed concern over the delay in notification, which may not comply with the Health Insurance Portability and Accountability Act (HIPAA) and other state-level data breach reporting regulations. The firm argues that affected individuals are now at elevated risk for identity theft, financial fraud, and unauthorized use of their medical information. According to Schubert Jonckheer & Kolbe LLP, victims of the breach may be entitled to compensation and a court order requiring Aspire Health to strengthen its cybersecurity practices.
A spokesperson for the firm stated that the long delay in notification raises serious ethical and legal concerns and that patients were deprived of the opportunity to take timely steps to protect themselves. The case highlights a growing crisis in healthcare cybersecurity, where increasing attacks are met with inadequate institutional response and transparency.
Patients affected by the breach are encouraged to seek legal advice or learn more about their rights at classactionlawyers.com/aspirehealth.
Schubert Jonckheer & Kolbe LLP, which specializes in complex consumer, shareholder, and privacy litigation, is based in San Francisco and litigates nationwide with the support of co-counsel.