Phishing attack at Colorado Mental Health Institute impacts 650 patients

The state has been unable to determine whether breached information was seen by a third party, but officials said names, dates of birth and Social Security numbers may have been compromised.
By Mike Miliard
12:52 PM

Data on state-issued computer at the Colorado Mental Health Institute at Pueblo was subject to a potential breach this past month, after a staffer clicked on a spoofed email, officials announced December 22.

On November 1, the staffer at the 449-bed mental health hospital unintentionally allowed access to the computer thanks to the phishing scam. Colorado officials say an investigation by the state's Office of Information Technology began the next day. The probe "was unable to determine that any private information held by CMHIP was acquired or viewed by a third party," according to state officials.

[Also: Trojan malware steals contacts for targeted spear phishing attacks]

Still, the breach potentially affected the information of 650 patients. OIT said that, while it found no evidence that "sensitive patient records" were acquired or viewed by a third party, some personal information may have been compromised, such as names, dates of birth, Social Security numbers, addresses, phone numbers, insurance information and admission and discharge dates.

[Also: The biggest healthcare breaches of 2017]

CMIHIP is one of two state facilities in Colorado that provide inpatient care for adult patients. It serves individuals with pending criminal charges that require evaluations of competency, those who have been found by a court to be incompetent to proceed and individuals found to be not guilty by reason of insanity.

The hospital has notified all individuals whose information might have been affected and is working with HIPAA Privacy and Security staff put in place technical safeguards, revise privacy policies and add new training for staff, officials said.

Twitter: @MikeMiliardHITN
Email the writer: