HIPAA Breaches at Colorado Department of Human Services and Sinai Health System

The State of Colorado is informing 12,230 people that some of their protected health information (PHI) were impermissibly disclosed due to a mailing error.

The error involved the mailing of Notices to Reapply for food and cash assistance programs by the Colorado Department of Human Services.

The error was discovered on November 6, 2019. According to the investigation results, the dispatched 10,879 Notice to Reapply forms contained the data of the wrong persons. The data of 12, 230 people were included by mistake on the forms.

The data contained in the forms were names, names of employers, if the individual got a vehicle, and some other data associated with household assets. There were no disclosed addresses, birth dates, financial data, Social Security numbers, or any data needed for identity theft and fraud.

Affected persons were informed regarding the error on November 10, 2019 and were instructed to dispose of the wrong notices either by shredding or bringing them to a local county office of human services for proper disposal.

There is a low risk of improper use of PHI because of the nature of exposed data however, as a preventative measure, affected persons were offered free credit monitoring services for one year.

Phishing Attack on Sinai Health System

Sinai Health System based in Chicago found out that two of its employees’ email accounts were compromised after responding to phishing emails. There is no information given regarding when the attack happened or when it was identified, however, Sinai Health System reported that the investigation of a third-party computer forensics professionals confirmed on October 16, 2019 the compromise of PHI contained in the accounts. The attackers potentially accessed the PHI but there is no proof of data theft uncovered nor the report of PHI misuse received.

The types of data contained in the compromised email accounts differed from one patient to another. The following data may have been included: names, addresses, birth dates, Social Security numbers, medical data, and medical insurance details. Sinai Health System already took steps to strengthen email security, including an email filtering controls upgrade. Employees also received additional training on security awareness to help them recognize malicious emails. Email retention policies were also modified.

Sinai Health System submitted a breach report to the Department of Health and Human Services’ Office for Civil Rights, which indicated the compromise of the PHI of 12,578 patients.