Cyber Incident Victim: Colorado Mental Health Institute
Date:
Nov 2017
Location:
United States of America
Summary
A phishing incident at the Colorado Mental Health Institute at Pueblo potentially compromised patient records after a staff member inadvertently granted access to a state computer. While investigators found no evidence confirming third-party acquisition of sensitive data, the exposure risk affected 650 patients and could have included names, dates of birth, Social Security numbers, contact details, insurance information, and admission or discharge dates. The facility notified impacted individuals and implemented enhanced technical safeguards, revised privacy policies, and additional staff training to address the breach. As a forensic hospital serving individuals involved in criminal proceedings, the incident prompted guidance on credit monitoring resources for affected patients.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On November 1, 2017, a staff member at the Colorado Mental Health Institute at Pueblo (CMHIP) unintentionally allowed unauthorized access to a state-issued computer after falling victim to a phishing scam. The Colorado Office of Information Technology (OIT) initiated an investigation the following day, November 2, to assess potential data exposure. Investigators concluded their review without finding evidence confirming that third parties acquired or viewed protected patient information. Despite the absence of confirmed data exfiltration, CMHIP determined the incident qualified as a potential breach under HIPAA regulations, which mandate disclosure when personal information of more than 500 patients faces possible exposure. The incident placed 650 patient records at risk of compromise. Sensitive information within these records potentially included patient names, dates of birth, Social Security numbers, physical addresses, phone numbers, insurance details, and admission or discharge dates. CMHIP functions as a 449-bed forensic mental health facility serving adults with pending criminal charges requiring competency evaluations, those deemed incompetent for court proceedings needing restoration treatment, and individuals adjudicated not guilty by reason of insanity.
CMHIP notified all 650 potentially affected patients following the investigation’s conclusion in December 2017. The hospital established a dedicated toll-free hotline ((833) 870-1201) operating weekdays from 9 a.m. to 4 p.m. excluding holidays to address patient concerns. Notifications advised patients to monitor credit activity through free reports from Experian, TransUnion, and Equifax, providing contact details for all three credit agencies. Internally, CMHIP collaborated with HIPAA Privacy and Security personnel to implement new technical safeguards, revise privacy policies and procedures, and develop enhanced staff training programs. The employee involved in the phishing incident received disciplinary action consistent with Colorado Department of Human Services policies and legal requirements. These corrective measures aimed to prevent recurrence while maintaining compliance with federal healthcare privacy regulations governing protected health information.