On September 20, 2018, Personal Assistance Services of Colorado, LLC submitted a HIPAA Email Breach to the U.S. Department of Health and Human Services (HHS).
Based in Lakewood, Colorado, Personal Assistance Services of Colorado’s email breach affected 1,839 individuals’ protected health information. Personal Assistance Services of Colorado is classified as a Healthcare Provider. According to this report about Personal Assistance Services of Colorado’s breach:
Personal Assistance Services of Colorado LLC ("PASCO") is taking action after discovering that it became the target of a phishing email scam that compromised an employee's email account credentials. Although there is no indication of actual or attempted misuse of client information, PASCO is notifying individuals whose records were or may have been subject to unauthorized access and providing these individuals with information and resources that can be used to better protect against the possibility of identity theft or fraud.
What Happened On or about July 24, 2018, PASCO discovered suspicious emails sent to several employees. PASCO immediately commenced an investigation and discovered that the organization was the victim of an email phishing campaign beginning on or around the middle of July 2018. Credentials for the email account were changed to prevent further unauthorized access. Third party forensic investigators were retained to assist with determining the full nature and scope of the incident. The investigation determined August 13, 2018 that one employee email account was accessed without authorization on or around July 22, 2018. A review of the contents of the email account was conducted to identify what information may have been accessible and who may be affected. On or about August 26, 2018, it was determined that information related to certain individuals was included in emails that may have been viewed without authorization.
Notification PASCO is mailing letters to clients that may have been impacted by this event. PASCO is also informing the U.S. Department of Health and Human Services about this incident. The information involved may have included the following: service billing codes, address, provider name, Medicaid number, and/or birthdate. There were no Social Security numbers, diagnosis, medical details, and financial account information exposed as a result of this incident.
The HHS Wall of Shame is a website under the jurisdiction of HHS that lists all HIPAA breaches reported within the last 24 months. The Wall of Shame displays breaches that are currently under investigation by the Office for Civil Rights. As part of section 13402(e)(4) of the HITECH Act, the HHS Secretary must post a list of breaches of unsecured protected health information affecting 500 or more individuals.
The Paubox HIPAA Breach Report analyzes breaches that affected 500 or more individuals, as reported in the HHS Wall of Shame.