Phishing attack at Colorado Mental Health Institute impacts 650 patients
Data on state-issued computer at the Colorado Mental Health Institute at Pueblo was subject to a potential breach this past month, after a staffer clicked on a spoofed email, officials announced December 22.
On November 1, the staffer at the 449-bed mental health hospital unintentionally allowed access to the computer thanks to the phishing scam. Colorado officials say an investigation by the state's Office of Information Technology began the next day. The probe "was unable to determine that any private information held by CMHIP was acquired or viewed by a third party," according to state officials.
Still, the breach potentially affected the information of 650 patients. OIT said that, while it found no evidence that "sensitive patient records" were acquired or viewed by a third party, some personal information may have been compromised, such as names, dates of birth, Social Security numbers, addresses, phone numbers, insurance information and admission and discharge dates.
CMIHIP is one of two state facilities in Colorado that provide inpatient care for adult patients. It serves individuals with pending criminal charges that require evaluations of competency, those who have been found by a court to be incompetent to proceed and individuals found to be not guilty by reason of insanity.
The hospital has notified all individuals whose information might have been affected and is working with HIPAA Privacy and Security staff put in place technical safeguards, revise privacy policies and add new training for staff, officials said.