Critical Care, Pulmonary and Sleep Associates in Lakewood, Colo., notified 23,377 patients about a potential exposure of their protected health information after an unauthorized individual gained access to an employee's email account.
Six things to know:
1. CCPSA learned on Nov. 23 that a cyberattacker had gained access to an employee's email account and sent phishing emails to individuals in the employee's electronic contacts.
2. The organization immediately launched an investigation into the incident, and determined the unauthorized user had accessed the email account between Aug. 14 and Nov.
23, 2018.
3. The investigation could not determine whether the hacker had viewed or copied patient data that was stored in the email account.
4. Personal data held in the email account included:
- Full names
- Dates of birth
- Addresses
- Phone numbers
- Email addresses
- Clinical information, such as dates of service, diagnoses and conditions
- Labs and diagnostic studies
- Medications and treatment information
- Insurance member and group numbers
- Limited Social Security numbers and driver's licenses
5. All employees were ordered to change their email account passwords Nov. 23, and CCPSA will be providing employees with mandatory security awareness training.
6. CCPSA is offering affected individuals one year of free credit-monitoring services.