University of Colorado Hospital Authority

Your Personal Info Could Be

Exposed Online After

This Hospital Breach

Breach Description

University of Colorado Hospital Authority Data Breach

The University of Colorado Hospital Authority (UCHealth) experienced a data breach due to a cybersecurity incident at one of its vendors, Diligent Corporation. On January 17, 2023, UCHealth filed a notice of the data breach with the U.S. Department of Health and Human Services Office for Civil Rights. The breach resulted in unauthorized access to personal information, including names, Social Security numbers, financial account information, dates of birth, and protected health information of consumers[1].

Details of the Breach

  • Vendor Involved: Diligent Corporation, a software company providing business operations tools for UCHealth[1].

  • Information Compromised: Names, Social Security numbers, financial account information, dates of birth, and protected health information[1].

  • Number of Individuals Affected: Approximately 48,879 individuals received data breach notification letters from UCHealth[1].
  • UCHealth’s Response: UCHealth began reviewing the affected files to determine the extent of the information compromised and started sending out data breach notification letters to impacted individuals[1].
  • Diligent Corporation’s Response: Diligent Corporation sent out data breach letters to all individuals whose information was compromised as a result of the security incident[1].

Impact and Risks

The breach puts affected individuals at a significantly increased risk of identity theft and other frauds. Cybercriminals often target healthcare providers and related companies to obtain information for committing such crimes[1].

UCHealth’s Status

UCHealth is a not-for-profit healthcare organization based in Aurora, Colorado, serving patients throughout Colorado, southern Wyoming, and western Nebraska. It operates or is affiliated with over 600 offices, employs more than 27,000 people, and generates approximately $5.4 billion in annual revenue[1].

Diligent Corporation’s Profile

Diligent Corporation is a software-as-a-service company based in New York City, New York, specializing in governance, risk, and compliance software. It has more than 25,000 customers, over one million active users, employs more than 760 people, and generates approximately $250 million in annual revenue[1].

Recommendations for Affected Individuals

UCHealth recommends affected individuals to remain vigilant for incidents of fraud and identity theft by reviewing account statements and monitoring credit reports. They also suggest downloading a map app for offline use or purchasing a Japanese-English map to help navigate during the trip[1].

Legal Actions and Investigations

Law firms are investigating the incident and may offer legal remedies to affected individuals. UCHealth and Diligent Corporation have begun contacting individuals whose information may have been impacted, and UCHealth has stated that it remains committed to safeguarding the information of its patients, employees, and providers[1][16][17].

Affected individuals are advised to review breach notifications, enroll in free credit monitoring services if offered, change passwords for online accounts, monitor credit reports, and consider placing a fraud alert with credit bureaus[16][17].

Citations:

  1. https://www.jdsupra.com/legalnews/university-of-colorado-hospital-2697397/
  2. https://www.9news.com/article/news/local/data-stolen-hca-healthcare-breach/73-44c82437-a07a-4bb1-9c2d-8dc6454fd860
  3. https://www.darkreading.com/cyberattacks-data-breaches/clop-gang-steals-personal-health-data-of-4-million-in-colorado-breach
  4. https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
  5. https://www.coloradoan.com/story/news/2023/01/27/uchealth-warns-patients-employees-of-data-breach-by-cybercriminal/69849782007/
  6. https://casetext.com/case/craven-v-university-of-colorado-hosp-auth
  7. https://oag.ca.gov/privacy/databreach/list
  8. https://colevannote.com/data-breach-university-of-colorado-hospital-authority/
  9. https://www.hipaajournal.com/january-2023-healthcare-data-breach-report/
  10. https://hcpf.colorado.gov/moveit
  11. https://www.cu.edu/accellion-cyberattack
  12. https://www.mass.gov/lists/data-breach-notification-letters-august-2023
  13. https://www.cbsnews.com/colorado/news/uchealth-lawsuit-collections-medical-debts-credit-service-company-optically-bad-low-income-patients-colorado-nonprofit-hospitals/
  14. https://www.ucdenver.edu/policies
  15. https://gazette.com/news/local/uchealth-patient-provider-employee-information-may-have-been-leaked-in-data-breach/article_061ab054-9e98-11ed-9427-5b0ce7733124.html
  16. https://www.turkestrauss.com/2023/01/27/uchealth-data-breach-investigation/
  17. https://www.uchealth.org/today/software-vendor-shares-information-about-data-breach/
Breach Submission Date Jan 17, 2023
Converted Entity Name University of Colorado Hospital Authority
Converted Entity Type Healthcare Provider
State CO
Individuals Affected 48,879
Breach Type Hacking/IT Incident

Breach Information Location Network Server

Business Associate Present Yes