HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

3,400 Patients of Children’s Hospital Colorado Potentially Impacted by Email Hack

Almost 3,400 patients of Children’s Hospital Colorado are being notified that some of their protected health information has potentially been accessed by an unauthorized individual who gained access to the email account of a staffer.

The incident was discovered by the Aurora, CO hospital on July 11, 2017, prompting a full investigation to determine the scale and scope of the breach. A third-party computer forensics firm was hired to assist with the investigation to help identify how access to the email account was gained, whether any other systems had been compromised, and to identify any actions taken by the attacker.

An analysis of data in the email account showed a limited amount of PHI was potentially compromised, including names, addresses, dates of birth, telephone numbers, medical diagnoses, treatment information and other clinical information. No financial information, insurance details, Social Security numbers or other highly sensitive data were exposed.

The investigation confirmed the breach was limited to a single email account and its EHR was not affected. While access to the email account was possible, the investigation uncovered no evidence to suggest any emails were accessed no that any PHI was viewed. Children’s Hospital Colorado also said no reports have been received to suggest any information has been misused in any way.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Children’s Hospital Colorado said, “Protecting the security and confidentiality of patient personal and medical information is of the utmost importance.” To prevent future incidents of this nature from occurring, existing safeguards have been enhanced and a review of its systems is underway to identify any additional controls that can be implemented to further protect patient health information.

Notifications were sent to all affected individuals by mail on Friday and the incident has been reported to appropriate authorities, including the Department of Health and Human Services’ Office for Civil Rights.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.