USA: Colorado Physician Partners notifies OCR of data security incident
Colorado Physician Partners ('CPP') notified, on 25 March 2022, the U.S. Department of Health and Human Services ('HHS') Office for Civil Rights ('OCR') of a data security incident affecting 12,877 individuals. In particular, CPP stated that, on 27 January 2022, it had discovered that an unauthorised individual had gained access to a CPP employee's work email account. Further, CPP noted that, following an investigation into the incident, it was found that the access by the unauthorised individual involved syncing which may have resulted in the individual having access to certain emails with personal information. As such, CPP highlighted that the potentially affected personal information includes full names, dates of birth, social security numbers, home addresses, phone numbers, email addresses, insurance ID numbers, and, in some cases, medical information.
In response to the incident, CPP highlighted that it had reset all passwords and made changes to settings and how employees gain access to their emails, whilst also reinforcing employee training.