HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Phishing Attack on Colorado Mental Health Institute Sees PHI Exposed

The Colorado Mental Health Institute at Pueblo has discovered one of its employees has fallen for a phishing scam that potentially allowed the attacker to gain access to the protected health information of as many as 650 patients.

The Colorado Mental Health Institute at Pueblo is a 449-bed hospital providing inpatient care for patients. The hospital serves patients with pending criminal charges that require competency evaluations, individuals found by the courts to be incompetent to proceed, and individuals found not guilty of crimes due to insanity.

The phishing attack occurred on November 1, 2017. The employee inadvertently disclosed login credentials that allowed the attacker to gain access to a state-issued computer. Unauthorized activity on the computer was detected the following day and access to the device was promptly blocked.

The forensic investigation did not uncover any evidence to suggest the protected health information of patients had been accessed or stolen, although the possibility of unauthorized access and data theft could not be ruled out with complete certainty.

All patients impacted by the incident have been notified of the security breach, as is required by HIPAA. They have been informed that potentially compromised information “could include, but is not limited to name, date of birth, Social Security number, address, phone number, insurance information, admission and discharge dates.”

The phishing attack has prompted the Colorado Mental Health Institute to implement new technical safeguards to prevent future phishing attacks. Privacy policies and procedures have also been reviewed and updated and staff have received further training on the risks from phishing. The Colorado Mental Health Institute said the individual who fell for the phishing scam has been dealt with “in accordance with CDHS policy and applicable law.”

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.