Children’s Hospital Colorado notifies 3,400 families after employee’s email account was improperly accessed
At Children’s Colorado, protecting the security and confidentiality of patient personal and medical information is of the utmost importance. Regrettably, this notice concerns an unintentional exposure of protected health information that may affect nearly 3,400 patient families.
On July 11, 2017, Children’s Colorado learned that a team member’s email account may have been accessed by an unauthorized party.
When Children’s Colorado learned of this, it immediately secured the affected email account and began an investigation. This included hiring an outside expert forensics firm. Through a comprehensive review of the affected email account, Children’s Colorado determined that some of the emails included patient demographic information such as names, addresses, dates of birth, and telephone numbers, and also may have included limited clinical information, such as diagnosis and treatment received.
Importantly, neither patient charts nor Children’s Colorado’s electronic medical records system was compromised. In addition, no Social Security numbers or financial information was included in any of the emails. Only the discrete information contained in the single email account was potentially affected.
Children’s Colorado has no evidence that information in the emails has been misused or even accessed. However, in an abundance of caution and full transparency, all potentially affected families will be notified by mail. Children’s Colorado began sending letters to affected patient families on Sept. 8, 2017, and established a dedicated call center to answer questions patient families may have. Starting Monday, Sept. 11, anyone who has questions regarding this incident can call 1-888-398-6989, Monday through Friday, between 9 a.m. and 9 p.m. Mountain Time.
Children’s Colorado recommends that affected patient families regularly review the explanation of benefits statement they receive from their health insurer. If families identify services listed on their explanation of benefits that they did not receive, they should immediately contact their insurer.
Children’s Colorado deeply regrets any inconvenience caused by this incident. The hospital has implemented enhancements to its existing safeguards and initiated a review of our systems to further improve protection of patient information.
DataBreaches.net has sent an inquiry to the hospital asking when the email access actually occurred and whether it was the result of phishing, a hack, or stolen credentials, etc. This post will be updated if more information becomes available.