Children’s Hospital Colorado Phishing Attack and Hoag Clinic Laptop Computer Theft

Children’s Hospital Colorado is informing 2,553 patients concerning the possible access of their protected health information (PHI) because of unauthorized use of an email account between April 6 and April 12, 2020.

The attacker acquired the username and password to sign into the account following the employee’s response to a phishing email. The hospital discovered the attack on June 22, 2020 and promptly secured the account. An evaluation of the messages and the attachments in the account showed that they had records of patient names, medical record numbers, dates of service, clinical diagnosis details and zip codes.

Since the breach, the hospital implemented measures to fortify email security protection and assessed the platforms for training personnel with regard to cybersecurity. Technical settings linked to email were likewise evaluated.

Laptop That Contains Unencrypted PHI Thieved From Hoag Clinic

On June 5, 2020, a thief stole the laptop computer given to a worker of Hoag Clinic located in Costa Mesa, CA. The laptop computer was left in a vehicle located in the worksite parking lot in Newport Beach. The clinic found out about the thievery immediately and informed the law enforcement, nevertheless, the device was not retrieved.

The IT security team confirmed that the laptop computer comprised the PHI of 738 persons, such as first and last names, middle initial, telephone number, address, email address, birth date, age, medical record number, doctor’s name, if the patient is being observed by case management, whether a COVID-19 test was done, whether the person was moved to case management, whether a telehealth appointment was slated, communication status records, and whether the person was concerned in home health.

The Hoag clinic has re-trained its personnel on security precautions, improved policies that cover the transport of laptops to and from worksites, and an extensive security analysis was done to make sure all suitable cybersecurity measures are set up. The clinic provided the impacted persons with free one-year membership to the Experian IdentityWorks identity theft recognition and resolution service.