Skip to the main content.
Talk to sales Start for free
Talk to sales Start for free

2 min read

Critical care, pulmonary and sleep associates, PLLP suffers email HIPAA breach

Critical care, pulmonary and sleep associates, PLLP suffers email HIPAA breach

On January 21, 2019, Critical Care, Pulmonary and Sleep Associates, PLLP (CCPSA) submitted a  HIPAA Email Breach to the  U.S. Department of Health and Human Services (HHS). Located in Lakewood, CO, the email breach potentially affected  23,377 individuals’  protected health information. MHS is classified as a  Healthcare Provider.

According to a notice on CCPSA's website: On November 23, 2018, CCPSA discovered that an unauthorized individual or entity gained access to an employee’s CCPSA email account and used the email address to send phishing emails to individuals in the employee’s electronic contacts seeking fraudulent financial payments. CCPSA immediately began investigating and took immediate action to block further access and to secure the email account and CCPSA’s entire email environment. CCPSA hired a national firm with forensic computer expertise to assist in the investigation and to determine the nature and scope of the breach. CCPSA’s forensic investigation concluded on December 14, 2018 and determined that there was unauthorized access to certain CCPSA accounts between August 14 and November 23, 2018. Importantly, CCPSA’s electronic medical records platform was NOT compromised or accessed by the hacker. CCPSA immediately began a detailed analysis and review of all potentially compromised emails and files to identify the names of all individuals who were potentially impacted, as well as the type of information included in these files. Although CCPSA could not fully determine whether, and to what extent, the hacker viewed or copied personal information, regrettably it is possible that personal information was viewed or acquired by the hacker based on the nature of the unauthorized access. Personal information that may have been accessed could include any of the following: full name, date of birth, address, phone number, email address, clinical information such as dates of service, diagnoses and conditions, labs and diagnostic studies, medications, other treatment information utilized by CCPSA or other providers with whom CCPSA has communicated on behalf of individuals and certain insurance information including member and group numbers, and in some instances costs for services, social security number, and/or driver’s license. Credit card and debit card information was NOT involved.

View the full notice here.


HHS Wall of Shame

The  HHS Wall of Shame is a website under the jurisdiction of HHS that lists all HIPAA breaches reported within the last 24 months. The Wall of Shame displays breaches that are currently under investigation by the Office for Civil Rights. As part of section 13402(e)(4) of the HITECH Act, the HHS Secretary must post a list of breaches of unsecured  protected health information affecting 500 or more individuals.


HIPAA Breach Report

The  Paubox HIPAA Breach Report analyzes breaches that affected 500 or more individuals as reported in the HHS Wall of Shame.


Try Paubox Email Suite for FREE today.

Subscribe to Paubox Weekly

Every Friday we'll bring you the most important news from Paubox. Our aim is to make you smarter, faster.