Cyber Incident Victim: Childrens Hospital Colorado

On July 11, 2017, Children’s Hospital Colorado discovered that an unauthorized party may have accessed a single employee’s email account. The hospital immediately secured the compromised account and initiated an internal investigation, supplemented by an external forensic firm’s expertise. A thorough review of the account’s contents revealed that certain emails contained patient demographic information, including names, addresses, dates of birth, and telephone numbers, alongside limited clinical details such as diagnoses and treatments. The investigation confirmed that no patient charts, electronic medical records systems, Social Security numbers, or financial data were involved in the exposure. While the hospital found no evidence that the unauthorized actor actually viewed or misused the information, the breach potentially impacted approximately 3,400 patient families due to the presence of protected health information within the email account.

Children’s Colorado began mailing notification letters to affected families on September 8, 2017, and established a dedicated call center operational from September 11 to address inquiries. The hospital advised recipients to monitor their health insurance explanation of benefits statements for discrepancies and report any unrecognized services to their insurer. Although the incident did not compromise core medical systems or sensitive financial identifiers, the hospital expressed regret for the inconvenience and disclosed enhancements to existing security safeguards. No specifics regarding the unauthorized access method—such as phishing, credential theft, or external hacking—were publicly confirmed, as the forensic review did not establish conclusive evidence of data misuse. The response prioritized transparency and precautionary measures despite the absence of identified harm stemming from the exposure.