Children's Hospital of Colorado in Aurora began notifying 2,553 patients of a recent employee email phishing incident that may have exposed their private information.
The hospital reported the data breach to HHS on July 27 and published a notice to its website explaining that an unauthorized user gained access to a provider's email account from April 6-12.
Information that may have been exposed included names, date of services, medical record numbers, ZIP codes and clinical diagnosis information. The hospital said no other documents or systems, including Children Colorado's EHR, were impacted by the incident.
Children's Colorado discovered the incident on June 22 and immediately secured the affected email account and launched an investigation. The hospital said it has no evidence that information in the email account has been misused and is taking steps to increase security measures.
"Children's Colorado deeply regrets any inconvenience this incident might cause, and is committed to taking steps to help prevent something like this from happening again, including evaluating additional platforms for educating staff and reviewing technical controls related to email," the hospital said.