Ransomware Attack Possibly Leads to PHI Access at Central Colorado Dermatology

by | Aug 27, 2018

Central Colorado Dermatology (CCD) has made contact with over 4,000 clients that some of their protected health information (PHI) has possibly been obtained by cyber criminals during a ransomware attack on its IT systems.

An unauthorized person obtained access to CCD’s computer network and installed ransomware on a server. Medical histories and patients’ medical charts were not viewed, although certain files and scanned fax correspondence were encrypted. Some of those files included PHI.

An investigation was initiated to determine if protected health information was obtained it was not possible to determine with a high degree of certainty whether any PHI was stolen. CCD did not find any proof to suggest that PHI had been accessed or stolen, although some of the software that had been placed on its network could have enable files to be downloaded.

The range of files that could have been obtained including the following details: Names, addresses, contact telephone information, birth dates, emails, Insurance data, Social Security numbers, insurance payment codes and expenses, dates of service, clinical information, medical conditions, diagnoses, treatment information, laboratory test results, diagnostic studies, duplicates of CCD reports and notes and information sent to CCD from other healthcare suppliers by fax.

The investigation discovered that remote access was obtained to a single server on June 5, 2018 and ransomware was installed the same day.

Upon identifying of the attack, steps were taken to safeguard the network and block remote access and a cybersecurity firm was retained to look into the attack. After systems were secured and the malicious software was deleted, the cybersecurity firm continued to review the network for several weeks to ensure that no further efforts were made to access the system. During that time period, no further intrusions were discovered and no suspicious network activity was noticed.

In reaction to the cyber attack, CCD has amended its password requirements and how its network can be logged onto, new anti-virus software has been enable, and further upgrades to system security have been implemented. That process is ongoing, guided by IT security specialists. Amendments have also been made to its fax software to see that that digital copies of faxes are not automatically saved on its network.

As unauthorized PHI access and theft of files could not be eliminated, notification letters were issued to all 4,065 patients whose PHI could possible have been accessed. All patients impacted by the breach have been provided with one year of credit monitoring services.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy