PHI of Colorado Mental Health Institute Patients Exposed Due to Phishing Scam


An employee of Colorado Mental Health Institute at Pueblo became a victim of a phishing scam that allowed the hacker to gain potential access to 650 patients’ protected health information. This mental health institute is a 449-bed hospital that provides inpatient care. Patients include those with pending criminal charges that need competency evaluation, people whom the courts find to be incompetent to proceed and those whom the courts deem not guilty of crimes due to insanity.

The phishing attack happened on November 1, 2017. The employee was tricked to disclose login credentials giving the attacker access to a state-issued computer. Suspicious activity on the computer was detected on the next day which prompted the blocking of access to the device immediately.

Forensic investigation conducted on the incident did not reveal any evidence that suggests access or theft of protected health information of patients. However, potential data access or theft cannot be ruled out with 100% certainty.

Colorado Mental Health Institute notified all patients potentially impacted by the data breach to abide by the HIPAA rules. The notification letter included details of potentially compromised information—the  names, birth dates, addresses, Social Security numbers, phone numbers, admission and discharge dates and insurance details.

Because of the phishing attack, the Institute did the following:  implemented new technical safeguards to avoid phishing attacks in the future; reviewed and updated the privacy policies and procedures; and HIPAA trained the staff how to identify and avoid phishing attacks. The employee that made the institute vulnerable to the phishing scam received the rightful dealing according to the CDHS policy and applicable law.

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: