Colorado Department of Human Services and Sinai Health System Alert Patients About HIPAA Breaches

The State of Colorado is notifying 12,230 individuals about an impermissible disclosure of some of their protected health information as a result of a mailing error.

The error occurred on a Colorado Department of Human Services mailing of Notices to Reapply for food and cash assistance programs.

The error came to light on November 6, 2019. The investigation revealed 10,879 Notice to Reapply forms had been sent which contained the information of incorrect individuals. The information of 12, 230 individuals had been incorrectly included on the forms.

The information included names, employers, whether the person had a vehicle, and a limited amount of other information related to household resources. No addresses, dates of birth, financial information, Social Security numbers, or other information required for identity theft and fraud were disclosed.

Affected individuals were notified about the error on November 10, 2019 and have been advised to either shred the incorrect notices or take them to their local county human services’ office for secure disposal.

The risk of misuse of PHI is low due to the nature of disclosed information but, as a precaution, affected individuals have been offered complimentary credit monitoring services for 12 months.

Sinai Health System Phishing Attack Reported

Chicago-based Sinai Health System has discovered the email accounts of two of its employees have been compromised as a result of responses to phishing emails. No information has been disclosed about the date of the attack and when it was discovered, but Sinai Health System has reported that third-party computer forensics experts determined on October 16, 2019 that the compromised accounts contained protected health information which was potentially accessed by the attackers. No evidence of data theft was uncovered during the investigation and no reports have been received to suggest any PHI has been misused.

The types of information in the compromised accounts varied from patient to patient and may have included names, addresses, dates of birth, Social Security numbers, health information, and health insurance information. Steps have already been taken to improve email security, including upgrading its email filtering controls. Staff have also received further security awareness training to help them identify malicious emails and email retention policies have been revised.

The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates the compromised accounts contained the protected health information of 12,578 patients.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.