Critical Care, Pulmonary & Sleep Associates Email-Related Breach Impacts 23,300 Patients

A data breach at Critical Care, Pulmonary & Sleep Associates (CCPSA) in Colorado has impacted over 23,300 patients. CCPSA detected the email account breach on November 23, 2018 when the email account was used to send phishing emails to people in the employee’s contact list. The emails requested payments be made to an account controlled by the attacker.

The account was immediately blocked to prevent further unauthorized activity and all email accounts had their passwords reset. Users were asked to create new, strong passwords. CCPSA hired a third-party computer forensics company to investigate the incident and find out the extent of the breach. The investigation came to a conclusion on December 14, 2018.

As per the investigation findings, the attacker accessed several email accounts from August 14 to November 23, 2018. The data breach only affected the email system. The medical record system remained secure.

After analyzing the compromised email accounts, the investigators reported that the electronic protected health information (ePHI) of over 23,300 patients had potentially been accessed. The information potentially compromised included patients’ names, addresses, email addresses, telephone numbers, birth dates, dates of service, medical conditions, diagnoses, laboratory test results, information associated with diagnostic studies, treatment data and insurance details. For some patients, Social Security numbers, driver’s license numbers and costs of medical services were also exposed.

CCPSA had implemented safeguards to prevent phishing attacks, although they were insufficient to prevent the attack. Further safeguards have now been implemented to improve security,  changes were made to network access by authorized persons, the IT department changed some rules related to the computer systems and the entire workforce had to undergo further training on security awareness.

The Department of Health and Human Services’ Office for Civil Rights posted a breach summary on its breach portal indicating the ePHI of 23,377 people was exposed.