University of Colorado Hospital Authority
Your Personal Info Could Be
Exposed Online After
This Hospital Breach
Breach Description
University of Colorado Hospital Authority Data Breach
The University of Colorado Hospital Authority (UCHealth) experienced a data breach due to a cybersecurity incident at one of its vendors, Diligent Corporation. On January 17, 2023, UCHealth filed a notice of the data breach with the U.S. Department of Health and Human Services Office for Civil Rights. The breach resulted in unauthorized access to personal information, including names, Social Security numbers, financial account information, dates of birth, and protected health information of consumers[1].
Details of the Breach
-
Vendor Involved: Diligent Corporation, a software company providing business operations tools for UCHealth[1].
-
Information Compromised: Names, Social Security numbers, financial account information, dates of birth, and protected health information[1].
- Number of Individuals Affected: Approximately 48,879 individuals received data breach notification letters from UCHealth[1].
- UCHealth’s Response: UCHealth began reviewing the affected files to determine the extent of the information compromised and started sending out data breach notification letters to impacted individuals[1].
- Diligent Corporation’s Response: Diligent Corporation sent out data breach letters to all individuals whose information was compromised as a result of the security incident[1].
Impact and Risks
The breach puts affected individuals at a significantly increased risk of identity theft and other frauds. Cybercriminals often target healthcare providers and related companies to obtain information for committing such crimes[1].
UCHealth’s Status
UCHealth is a not-for-profit healthcare organization based in Aurora, Colorado, serving patients throughout Colorado, southern Wyoming, and western Nebraska. It operates or is affiliated with over 600 offices, employs more than 27,000 people, and generates approximately $5.4 billion in annual revenue[1].
Diligent Corporation’s Profile
Diligent Corporation is a software-as-a-service company based in New York City, New York, specializing in governance, risk, and compliance software. It has more than 25,000 customers, over one million active users, employs more than 760 people, and generates approximately $250 million in annual revenue[1].
Recommendations for Affected Individuals
UCHealth recommends affected individuals to remain vigilant for incidents of fraud and identity theft by reviewing account statements and monitoring credit reports. They also suggest downloading a map app for offline use or purchasing a Japanese-English map to help navigate during the trip[1].
Legal Actions and Investigations
Law firms are investigating the incident and may offer legal remedies to affected individuals. UCHealth and Diligent Corporation have begun contacting individuals whose information may have been impacted, and UCHealth has stated that it remains committed to safeguarding the information of its patients, employees, and providers[1][16][17].
Affected individuals are advised to review breach notifications, enroll in free credit monitoring services if offered, change passwords for online accounts, monitor credit reports, and consider placing a fraud alert with credit bureaus[16][17].
Citations:
- https://www.jdsupra.com/legalnews/university-of-colorado-hospital-2697397/
- https://www.9news.com/article/news/local/data-stolen-hca-healthcare-breach/73-44c82437-a07a-4bb1-9c2d-8dc6454fd860
- https://www.darkreading.com/cyberattacks-data-breaches/clop-gang-steals-personal-health-data-of-4-million-in-colorado-breach
- https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
- https://www.coloradoan.com/story/news/2023/01/27/uchealth-warns-patients-employees-of-data-breach-by-cybercriminal/69849782007/
- https://casetext.com/case/craven-v-university-of-colorado-hosp-auth
- https://oag.ca.gov/privacy/databreach/list
- https://colevannote.com/data-breach-university-of-colorado-hospital-authority/
- https://www.hipaajournal.com/january-2023-healthcare-data-breach-report/
- https://hcpf.colorado.gov/moveit
- https://www.cu.edu/accellion-cyberattack
- https://www.mass.gov/lists/data-breach-notification-letters-august-2023
- https://www.cbsnews.com/colorado/news/uchealth-lawsuit-collections-medical-debts-credit-service-company-optically-bad-low-income-patients-colorado-nonprofit-hospitals/
- https://www.ucdenver.edu/policies
- https://gazette.com/news/local/uchealth-patient-provider-employee-information-may-have-been-leaked-in-data-breach/article_061ab054-9e98-11ed-9427-5b0ce7733124.html
- https://www.turkestrauss.com/2023/01/27/uchealth-data-breach-investigation/
- https://www.uchealth.org/today/software-vendor-shares-information-about-data-breach/