Phishing Attack on Colorado Mental Health Institute Sees PHI Exposed
The Colorado Mental Health Institute at Pueblo has discovered one of its employees has fallen for a phishing scam that potentially allowed the attacker to gain access to the protected health information of as many as 650 patients.
The Colorado Mental Health Institute at Pueblo is a 449-bed hospital providing inpatient care for patients. The hospital serves patients with pending criminal charges that require competency evaluations, individuals found by the courts to be incompetent to proceed, and individuals found not guilty of crimes due to insanity.
The phishing attack occurred on November 1, 2017. The employee inadvertently disclosed login credentials that allowed the attacker to gain access to a state-issued computer. Unauthorized activity on the computer was detected the following day and access to the device was promptly blocked.
The forensic investigation did not uncover any evidence to suggest the protected health information of patients had been accessed or stolen, although the possibility of unauthorized access and data theft could not be ruled out with complete certainty.
All patients impacted by the incident have been notified of the security breach, as is required by HIPAA. They have been informed that potentially compromised information “could include, but is not limited to name, date of birth, Social Security number, address, phone number, insurance information, admission and discharge dates.”
The phishing attack has prompted the Colorado Mental Health Institute to implement new technical safeguards to prevent future phishing attacks. Privacy policies and procedures have also been reviewed and updated and staff have received further training on the risks from phishing. The Colorado Mental Health Institute said the individual who fell for the phishing scam has been dealt with “in accordance with CDHS policy and applicable law.”