Phishing scam exposes PHI of patients at Colorado Mental Health Institute

As the year comes to an end, there appears to be no end in sight for healthcare data hacks. In one of the latest reported cases, an employee of the Colorado Mental Health Institute at Pueblo (CMHIP) fell for a phishing scam on November 1 and potentially allowed the protected health information (PHI) of 650 patients to be exposed.

Officials announced on December 22 that the employee unintentionally allowed access to the computer after clicking on a phishing email. The 449-bed hospital serves patients with pending criminal charges that require competency evaluations, individuals found by the courts to be incompetent to proceed, and individuals found not guilty of crimes due to insanity.

Reportedly, an investigation by the state’s Office of Information Technology began November 2, the day after the exposure was discovered. According to state officials, the probe determined that any private information held by CMHIP was acquired or viewed by a third party.

As required by HIPAA, all impacted patients have been notified of the security breach and told that the potentially compromised information “could include, but is not limited to name, date of birth, Social Security number, address, phone number, insurance information, admission and discharge dates.”

The CMHIP has implemented new technical safeguards to prevent future phishing attacks. Staff have received more training on the risks from phishing; privacy policies and procedures have also been reviewed and updated.

This latest attack will be included in the 4th quarter reports of data breaches in 2017 that will wrap up this week. So far, it’s looking like it’ll be much the same as it was through Q3 in September when hacking was the biggest cause of healthcare data breaches. Those incidents involved phishing attacks, malware and ransomware incidents, and the hacking of network servers and endpoints.

The repeated occurrences of compromised data should validate why you need to continually train employees to avoid the lure of phishing emails and other hacks. We can help you do that. Contact our HIPAA experts at or call 877-218-7707.

Related Posts

What’s On Your Website?

The partnership combines PrivaPlan’s industry-leading guidance with Cyndelos’ AI technology to pinpoint website vulnerability and uphold website compliance.

Learn More +

Access PrivaPlan Toolkit

Access CMA-PrivaPlan Toolkit

Sign up for updates

Sign up. Learn about Compliance

Subscribe now for up-to-date information about privacy & security compliance! You’ll receive emails regarding news about compliance & alerts for new blog posts.