Colorado Retina Associates in Denver has reported a breach of part of its secured computer network.
Nearly 27,000 patients may have been affected.
On Jan. 12, the practice “discovered that an unauthorized individual gained access to an employee’s work email
account when that email account was used to send phishing emails to individuals in the employee’s electronic contacts,” according to a notice issued by the practice. Colorado Retina Associates reported the incident to the U.S. Department of Health and Human Services Office for Civil Rights.
The practice “immediately began investigating, secured that email account, and subsequently secured CRA’s entire email environment.” It hired a national firm with forensic computer expertise to assist in the investigation and to determine the nature and scope of the breach.
The notice continued:
CRA’s forensic investigation concluded on February 24, 2021 and determined that there was unauthorized access to certain CRA email accounts and that two user accounts that had patient information, may have involved “syncing” (copying) of the email account by the unauthorized individual(s) between January 6, 2021 and January 17, 2021. CRA immediately began a detailed analysis and review of all the potentially compromised emails and attachments to identify the names of all individuals who were potentially impacted, as well as the type of information included in these files. Although CRA could not fully determine whether, and to what extent, the unauthorized individual(s) viewed any personal information, regrettably it is possible because of the syncing, that some patients’ personal information may have been acquired and could therefore be viewed by the unauthorized individual(s).
Personal information involved may have included any of the following: full name, date of birth, home address, phone number, email address, clinical information such as dates of service, diagnoses and conditions, labs and diagnostic studies, medications, other treatment or procedure information, and certain health insurance, claims, billing, and payment information. For less than 3% of involved individuals social security numbers were involved and for less than 0.2% of individuals, driver’s license, financial account, or payment card information was involved.
In response, CRA took immediate steps to enhance the protections that were in place before this incident. CRA made changes to how authorized individuals gain access to accounts and required password changes to all authorized employee accounts. CRA is reinforcing security awareness through reminders to its entire workforce. Additionally, CRA reported this incident to law enforcement for further investigation.