26,000 people have information exposed in Colorado phishing incident

An eye care practice reported that an unauthorized individual had gained access to an employee's work email in January.
By Kat Jercich
12:11 PM

(Photo: Getty Images)

A Colorado-based eye care practice reported this past week that a phishing incident had led to the potential exposure of more than 26,000 patients' information.

According to a notice posted to its website, Colorado Retina Associates first discovered that an unauthorized individual had gained access to an employee's work email on January 12.  

After a forensic investigation, CRA determined that two user accounts that had patient information may have been synced, or copied, by the bad actors.  

"Although CRA could not fully determine whether, and to what extent, the unauthorized individual(s) viewed any personal information, regrettably it is possible, because of the syncing, that some patients’ personal information may have been acquired and could therefore be viewed by the unauthorized individual(s)," wrote system representatives.  

WHY IT MATTERS  

According to the report submitted to the U.S. Department of Health and Human Services' Office for Civil Rights, 26,609 individuals were affected by the incident.  

CRA first discovered the breach when the compromised account was used to send phishing emails to individuals in the employee’s contacts. After securing the email environment, CRA's investigators determined that "there was unauthorized access to certain CRA email accounts."  

"Two user accounts that had patient information, may have involved 'syncing' (copying) of the email account by the unauthorized individual(s) between January 6, 2021 and January 17, 2021," continued the statement.

The personal information involved may have included contact information, date of birth, clinical information and some health insurance data. 

"For less than 3% of involved individuals, social security numbers were involved, and for less than 0.2% of individuals, driver’s license, financial account, or payment card information was involved," wrote CRA.  

In response, CRA required password changes to all authorized employee accounts and made changes to how authorized individuals gain access.  

THE LARGER TREND  

Although ransomware has been the hot-button cybersecurity topic of late, phishing (often in combination with other attacks) is a tried-and-true method for bad actors.  

This past November, some hospitals in Massachusetts reportedly received emails posing as from HHS seeking information about COVID-19 statistics – raising fears about spear phishing attempts aimed at top executives and leading those systems to increase security protocols.  

Such protocols, experts say, should also include staff training, including on how to spot attempted phishing endeavors.   

ON THE RECORD  

"CRA is reinforcing security awareness through reminders to its entire workforce," read the notice on the website.

 

Kat Jercich is senior editor of Healthcare IT News.
Twitter: @kjercich
Email: kjercich@himss.org
Healthcare IT News is a HIMSS Media publication.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.