Children’s Hospital Colorado Phishing Attack and Hoag Clinic Laptop Theft

Children’s Hospital Colorado is sending notifications to 2,553 patients regarding the potential access of some of their protected health information (PHI) due to unauthorized access of an email account from April 6 to April 12, 2020.

The attacker obtained credentials to access the account after an employee responded to a phishing email. The hospital identified the phishing attack on June 22, 2020 and immediately secured the email account. An analysis of the email messages and the file attachments in the account revealed that they held patient names, dates of service, medical record numbers, clinical diagnosis data and zip codes.

Since the breach, the hospital took steps to strengthen email security defenses and evaluated the platforms for teaching employees about cybersecurity. Technical controls associated to email were also analyzed.

Laptop Containing Unencrypted PHI Stolen From Hoag Clinic

On June 5, 2020, a thief stole the laptop computer issued to an employee of Hoag Clinic based in Costa Mesa, CA. The laptop was left in a vehicle parked in a Newport Beach worksite parking lot. The clinic learned about the theft on the same day and notified the law enforcement, however, the unit was not recovered.

The IT security team verified that the laptop held the protected health information of 738 people, which include first and last names, middle initial, phone number, e-mail address, address, date of birth, age, medical record number, physician’s name, whether the patient is being followed by case management, if a COVID-19 test was performed, if the individual was transferred to case management, if a telehealth consultation was booked, communication status notes, and if the individual was interested in home health.

The Hoag clinic has re-educated its employees on safety measures, enhanced policies relating to the transport of laptop computers between worksites, and a complete security evaluation was performed to ensure all proper cybersecurity precautions are in place. The clinic offered the affected people complimentary 12 months membership to the Experian IdentityWorks identity theft detection and resolution service.