Phishing Attack at Children’s Hospital Colorado Compromises Patient Data
by Kapua Iao
Children’s Hospital Colorado, an academic pediatric acute care hospital with several locations throughout Colorado, released a notice July 27 reporting a recent phishing attack by an “unauthorized party.”
Not much is known about the email breach at this time. The hospital discovered the breach June 22, immediately securing the affected email account and hiring an outside firm to investigate.
Unfortunately, this is not the first phishing attack experienced by the hospital.
Who was affected by the phishing attack?
On June 22, the hospital learned that an outside party may have accessed a provider’s email account from April 6–12.
The hospital has not stated the type of phishing attack or the number of individuals affected.
The U.S. Department of Health and Human Services Office for Civil Rights’ Breach Portal lists the breach as an email hacking/IT incident affecting 2,553 individuals.
Exposed protected health information (PHI) may include name, date of service(s), medical record number, zip code, and limited clinical information such as diagnoses.
RELATED: Is a Name PHI?
At this time, there is no evidence that the hacker misused or accessed PHI. According to the notice, no other documents (such as patient charts) or systems were impacted.
Not the first email breach
In September 2017, Children’s Hospital Colorado reported a possible exposure of 3,370 patient’s PHI through a team member’s email account in July.
While neither breach would make a top 10 biggest breaches list, both are concerning, particularly the recent breach during the current crisis.
What steps has Children’s Hospital Colorado taken to protect patient data?
Children’s Hospital Colorado correctly utilized separate computer systems for sensitive data. As stated by the hospital, however, employee awareness training and email security need updating.
The investigation into the breach is ongoing and the hospital is “notifying all potentially affected families for whom it has contact information.”
Children’s Hospital Colorado also set up a dedicated line for patients seeking additional information. The hospital stated similar steps after the 2017 breach.
The 2020 notice further indicates the hospital’s commitment to evaluating additional training platforms and reviewing technical controls related to email.
How strong email security can help
Phishing and social engineering remain a significant problem in 2020; vigilance is more important than ever.
That’s why our customers turn to Paubox Email Suite Plus in order to send HIPAA compliant email directly to patient’s inboxes (no password or portal required), and to protect themselves from cyberattacks with robust inbound security tools such as display name spoofing protection and spam filtering.
Paubox Email Suite Plus seamlessly integrates with a customer’s existing email provider to send encrypted email by default; no change in user behavior is required once it is configured.
Strong email security and knowledgeable employees allow healthcare organizations to communicate effectively while keeping everyone protected for complete, comprehensive healthcare.