CO: Hackers tap into medical group's records after employees fall for phishing attempt

Mark Meredith reports:

A Denver area non-profit medical group is asking customers to beware of hackers after the group discovered patient data had been compromised.

“On Monday, December 5th, 2011, Metro Community Provider Network became aware that a hacker potentially accessed the personal health information of some of our patients’ personal health information,” said the Metro Community Provider Network in a statement on its website.

The group believes hackers may have accessed patient names, phone numbers, and medical conditions. It’s not believed that hackers were able to access billing information like credit cards.

Read more on KWGN.

The group’s notice to patients is prominently linked from their home page. The statement indicates that the compromise occurred because employees fell for a phishing attempt:

On Monday, December 5th, 2011, Metro Community Provider Network became aware that a hacker potentially accessed the personal health information of some of our patients’ personal health information. We identified the date of the information breach to be Monday, December 5th, 2011; the same day we became aware of the breach. We are notifying affected individuals in as timely a manner as possible so they may take swift personal action along with our organization’s efforts to reduce or eliminate potential harm. The incident involving protected health information was a result of an email phishing scam. In this incident; a hacker sent an email to several of Metro Community Provider Network’s employees that claimed to be from a trusted source. The email asked for the employee to click on a link and provide login information.  This was then used to gain access to the employee’s confidential emails. It is important to note that none of our employees had any intention to cause patients any harm, nor did they have any intention of allowing a hacker to access personal information; they were victims of a scam.

The information that has potentially been accessed includes patients’ names,  phone numbers, dates of birth, diagnoses (limited to diabetes, hypertension, hyperlipidemias and weight loss) and MCPN internal account numbers.  No credit card or bank account information of any kind was accessed by the hacker.  Approximately 2000 patients may have been affected.

About the author: Dissent