Colorado provider notifies 2K patients of potential data breach

On Dec. 5, 2011, Metro Community Provider Network (MCPN) in Englewood, Colo., became aware that a hacker potentially accessed the personal health information (PHI) of approximately 2,000 patients.

The date of the information breach was the same day MCPN became aware of the incident. The information that potentially has been accessed includes patients’ names, phone numbers, dates of birth, diagnoses (limited to diabetes, hypertension, hyperlipidemias and weight loss) and MCPN internal account numbers. “No credit card or bank account information of any kind was accessed by the hacker,” MCPN noted.

The incident was a result of an email phishing scam. In this incident, a hacker sent an email to several of MCPN’s employees that claimed to be from a trusted source. The email asked for the employee to click on a link and provide login information. “It is important to note that none of our employees had any intention to cause patients any harm, nor did they have any intention of allowing a hacker to access personal information; they were victims of a scam,” MCPN added.

MCPN has taken the following actions in response to this incident:

• Initiated a forensic investigation;
• Required affected users to immediately change their password (this action effectively stopped further access to information);
• Required affected users to immediately review each and every email in their account and accurately provide the personal information that was potentially accessed;
• Performed a phishing test of users in a controlled and secure environment to identify areas where further education is necessary;
• Provided annual training to staff regarding PHI;
• Scheduled education of all computer systems users about the threat of phishing; and
• Implementing policies and procedures that will provide severe sanctions against any employee of MCPN that acts in a manner that poses a risk of breach of information.