Colorado clinic notifies 23,000 patients after phishing incident

Critical Care, Pulmonary and Sleep Associates in Lakewood, Colo., notified 23,377 patients about a potential exposure of their protected health information after an unauthorized individual gained access to an employee's email account.

Six things to know:

1. CCPSA learned on Nov. 23 that a cyberattacker had gained access to an employee's email account and sent phishing emails to individuals in the employee's electronic contacts.

2. The organization immediately launched an investigation into the incident, and determined the unauthorized user had accessed the email account between Aug. 14 and Nov.
23, 2018.

3. The investigation could not determine whether the hacker had viewed or copied patient data that was stored in the email account.

4. Personal data held in the email account included:

  • Full names
  • Dates of birth
  • Addresses
  • Phone numbers
  • Email addresses
  • Clinical information, such as dates of service, diagnoses and conditions
  • Labs and diagnostic studies
  • Medications and treatment information
  • Insurance member and group numbers
  • Limited Social Security numbers and driver's licenses

5. All employees were ordered to change their email account passwords Nov. 23, and CCPSA will be providing employees with mandatory security awareness training.

6. CCPSA is offering affected individuals one year of free credit-monitoring services.

More articles on cybersecurity:

5 Delaware health insurers hit in data breach
Insiders caused more than half of healthcare breaches in 2018: 4 notes
Alaska health department adds nearly 700,000 victims to breach count: 5 notes

© Copyright ASC COMMUNICATIONS 2020. Interested in LINKING to or REPRINTING this content? View our policies by clicking here.


Featured Content

Featured Webinars

Featured Whitepapers