On January 21, 2019, Critical Care, Pulmonary and Sleep Associates, PLLP (CCPSA) submitted a HIPAA Email Breach to the U.S. Department of Health and Human Services (HHS).
Located in Lakewood, CO, the email breach potentially affected 23,377 individuals’ protected health information.
MHS is classified as a Healthcare Provider.
According to a notice on CCPSA’s website:
On November 23, 2018, CCPSA discovered that an unauthorized individual or entity gained access to an
employee’s CCPSA email account and used the email address to send phishing emails to individuals in the
employee’s electronic contacts seeking fraudulent financial payments. CCPSA immediately began investigating
and took immediate action to block further access and to secure the email account and CCPSA’s entire email
environment. CCPSA hired a national firm with forensic computer expertise to assist in the investigation and to
determine the nature and scope of the breach. CCPSA’s forensic investigation concluded on December 14, 2018
and determined that there was unauthorized access to certain CCPSA accounts between August 14 and November
23, 2018. Importantly, CCPSA’s electronic medical records platform was NOT compromised or accessed by the
CCPSA immediately began a detailed analysis and review of all potentially compromised emails and files to identify
the names of all individuals who were potentially impacted, as well as the type of information included in these
files. Although CCPSA could not fully determine whether, and to what extent, the hacker viewed or copied personal
information, regrettably it is possible that personal information was viewed or acquired by the hacker based on the
nature of the unauthorized access.
Personal information that may have been accessed could include any of the following: full name, date of birth,
address, phone number, email address, clinical information such as dates of service, diagnoses and conditions, labs
and diagnostic studies, medications, other treatment information utilized by CCPSA or other providers with whom
CCPSA has communicated on behalf of individuals and certain insurance information including member and group
numbers, and in some instances costs for services, social security number, and/or driver’s license. Credit card and
debit card information was NOT involved.
HHS Wall of Shame
The HHS Wall of Shame is a website under the jurisdiction of HHS that lists all HIPAA breaches reported within the last 24 months. The Wall of Shame displays breaches that are currently under investigation by the Office for Civil Rights.
As part of section 13402(e)(4) of the HITECH Act, the HHS Secretary must post a list of breaches of unsecured protected health information affecting 500 or more individuals.
HIPAA Breach Report
The Paubox HIPAA Breach Report analyzes breaches that affected 500 or more individuals as reported in the HHS Wall of Shame.