HIPAA Breaches at Sinai Health System and Colorado Department of Human Services

Sinai Health System in Chicago learned about the compromise of the email accounts of two employees after they responded to phishing emails. It is not known when the attack occurred or when it was discovered. Nevertheless, Sinai Health System claimed that a third-party computer forensics experts investigated the incident and confirmed on October 16, 2019 that the compromised accounts contained PHI. The attackers possibly viewed the PHI yet no proof or report is available with regards to data theft or PHI misuse.

The compromised email accounts contained types of information that vary from patient to patient. The compromised information may have included names, birth dates, addresses, Social Security numbers, medical information, and health insurance information. Sinai Health System already did what is required to reinforce email security, which includes upgrading its email filtering controls. Employees also got extra training on security awareness for better recognition of malicious emails. Changes to email retention policies were likewise implemented.

Sinai Health System’s breach report to the Department of Health and Human Services’ Office for Civil Rights indicated that the PHI of 12,578 patients was compromised.

Mailing Error of Colorado Department of Human Services

The State of Colorado notified 12,230 concerning the impermissible disclosure of some of their protected health information (PHI) because of a mailing error.

The mailing error involved the Colorado Department of Human Services’ Notices to Reapply for food and cash assistance programs.

The State of Colorado became aware of the error on November 6, 2019. Based on the investigation findings, the 10,879 Notice to Reapply forms dispatched to their recipients contained the wrong personal information. The information of 12, 230 individuals was added on the forms by mistake.

The forms contained the following information: names, employers, whether the person owns a motor vehicle, and a few other information related to household property. Information such as financial information, addresses, birth dates, Social Security numbers, or any information required for identity theft and fraud was not disclosed.

Affected individuals received notification regarding the mailing error on November 10, 2019. They were advised to dispose of the wrong notices either of two ways: by shredding or by taking the notice to a nearby county office of human services.

Because of the type of exposed data, the risk of improper use of PHI is low. However, as a precautionary measure, the affected individuals received free 12-months credit monitoring services.