Connect with us

Headlines

Phishing Scam Hits Colorado Eyecare Practice

Nearly 27,000 patients may have been affected.

mm

Published

on

Colorado Retina Associates in Denver has reported a breach of part of its secured computer network.

Nearly 27,000 patients may have been affected.

On Jan. 12, the practice “discovered that an unauthorized individual gained access to an employee’s work email
account when that email account was used to send phishing emails to individuals in the employee’s electronic contacts,” according to a notice issued by the practice. Colorado Retina Associates reported the incident to the U.S. Department of Health and Human Services Office for Civil Rights.

The practice “immediately began investigating, secured that email account, and subsequently secured CRA’s entire email environment.” It hired a national firm with forensic computer expertise to assist in the investigation and to determine the nature and scope of the breach.

The notice continued:

CRA’s forensic investigation concluded on February 24, 2021 and determined that there was unauthorized access to certain CRA email accounts and that two user accounts that had patient information, may have involved “syncing” (copying) of the email account by the unauthorized individual(s) between January 6, 2021 and January 17, 2021. CRA immediately began a detailed analysis and review of all the potentially compromised emails and attachments to identify the names of all individuals who were potentially impacted, as well as the type of information included in these files. Although CRA could not fully determine whether, and to what extent, the unauthorized individual(s) viewed any personal information, regrettably it is possible because of the syncing, that some patients’ personal information may have been acquired and could therefore be viewed by the unauthorized individual(s).

Advertisement

Personal information involved may have included any of the following: full name, date of birth, home address, phone number, email address, clinical information such as dates of service, diagnoses and conditions, labs and diagnostic studies, medications, other treatment or procedure information, and certain health insurance, claims, billing, and payment information. For less than 3% of involved individuals social security numbers were involved and for less than 0.2% of individuals, driver’s license, financial account, or payment card information was involved.

In response, CRA took immediate steps to enhance the protections that were in place before this incident. CRA made changes to how authorized individuals gain access to accounts and required password changes to all authorized employee accounts. CRA is reinforcing security awareness through reminders to its entire workforce. Additionally, CRA reported this incident to law enforcement for further investigation.

Since launching in 2014, INVISION has won 23 international journalism awards for its publication and website. Contact INVISION's editors at [email protected].

SPONSORED VIDEO

SPONSORED BY WEAVE

Transform Your Multi-office Phone System Into a Revenue-generation Tool

Weave’s multi-office, multi-department, and multi-provider phone system is built to flexibly accommodate and augment your practices’ most powerful revenue-generation tool: ring phones across multiple locations, set up inter-office call overflow, support external call centers, and more. And by connecting to your patient data, call handlers see a patient’s upcoming appointments, overdue balances, overdue family members, and preferred location – all when they pick up the phone." Learn more at getweave.com/weave-unify

Promoted Headlines

Most Popular