PHI of Colorado Mental Health Institute Patients Exposed Due to Phishing Scam


An employee of Colorado Mental Health Institute at Pueblo became a victim of a phishing scam that allowed the hacker to gain potential access to 650 patients’ protected health information. This mental health institute is a 449-bed hospital that provides inpatient care. Patients include those with pending criminal charges that need competency evaluation, people whom the courts find to be incompetent to proceed and those whom the courts deem not guilty of crimes due to insanity.

The phishing attack happened on November 1, 2017. The employee was tricked to disclose login credentials giving the attacker access to a state-issued computer. Suspicious activity on the computer was detected on the next day which prompted the blocking of access to the device immediately.

Forensic investigation conducted on the incident did not reveal any evidence that suggests access or theft of protected health information of patients. However, potential data access or theft cannot be ruled out with 100% certainty.

Colorado Mental Health Institute notified all patients potentially impacted by the data breach to abide by the HIPAA rules. The notification letter included details of potentially compromised information—the  names, birth dates, addresses, Social Security numbers, phone numbers, admission and discharge dates and insurance details.

Because of the phishing attack, the Institute did the following:  implemented new technical safeguards to avoid phishing attacks in the future; reviewed and updated the privacy policies and procedures; and trained the staff how to identify and avoid phishing attacks. The employee that made the institute vulnerable to the phishing scam received the rightful dealing according to the CDHS policy and applicable law.