Colorado Family Practice Discovers Two Cybersecurity Incidents in One Week | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

Colorado Family Practice Discovers Two Cybersecurity Incidents in One Week

January 2, 2018
by Rajiv Leventhal
| Reprints

A Colorado medical group is notifying patients of multiple cybersecurity hacks on its network within a single week.

Longs Peak Family Practice, a medical clinic in Longmont, Col., issued a privacy notice last week stating that on Nov. 5, the group discovered suspicious activity on its computer network and determined that a hacker had penetrated the network. The notice said that LPFP “immediately began investigating and took actions to attempt to  secure  the  network,  but  the  hacker  executed  malicious  code  within  the  network  before  it  could  be  stopped. The malicious code included ransomware that encrypted certain files on our computers,” the notice read.

Then, on Nov. 10, the practice discovered a second hack into the network that did not involve ransomware. LPFP officials said that the organization hired an outside firm with forensic computer expertise to assist in the investigation to identify any malware and further investigate any unauthorized access that may have occurred because of the hacking activity.

The investigation revealed that there was no specific evidence that any data  including  patients’  health  information  was  removed  or  accessed  from  the  network, but that there  was  evidence of unauthorized access to some parts of the computer system on November 5, 9 and 10, the organization reported. What’s more, there wasn’t any evidence of  any  patient  files  being  opened  on  the  LPFP computers,  but  because  some  of  the  software installed by the hackers could have been used to download computer files and some files were encrypted, the practice cannot be completely sure that health information was not compromised.

The type of information that could have been compromised includes patients’ electronic charts, which may include full name, LPFP’s patient ID number, date of birth, address, phone numbers, email address, social security number, insurance carrier, insurance payment codes with associated costs, driver’s license, dates of  service,  clinical  information  including  medical  conditions,  diagnoses,  medications,  labs  and  diagnostic  studies, and copies of notes or reports by LPFP or other healthcare providers. The information did not include credit card or bank account information or invoices for medical services. Final statements for any accounts sent to a collection agency may have been involved, according to the privacy notice.

The medical group said that because of these incidents, it is making changes in regards to how its network is accessed. The notice read, “We have upgraded our system in consultation with seasoned IT  professionals,  including  the  purchase  of  a  new  enhanced  firewall, and are further analyzing the tools and procedures we use to monitor and attempt to block malicious attempts to hack into our network. We are re-analyzing our network and our policies to attempt to further safeguard against potential threats. We are reinforcing and providing additional privacy and security training to all our workforce. We reported the hacking incidents to law enforcement for further investigation.”

Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.

Learn More



Survey: Infrastructure, Interoperability Key Barriers to Global HIT Development

A new survey report from Black Book Research on global healthcare IT adoption and records systems connectivity finds nations in various phases of regional electronic health record (EHR) adoption. The survey results also reveal rapidly advancing opportunities for U.S.-based and local technology vendors.

Penn Medicine Opens Up Telehealth Hub

Philadelphia-based Penn Medicine has opened its Center for Connected Care to centralize the health system’s telemedicine activities.

Roche to Pay $1.9B for Flatiron Health

Switzerland-based pharmaceutical company Roche has agreed to pay $1.9 billion to buy New York-based Flatiron Health Inc., which has both an oncology EHR and data analytics platform.

Financial Exec Survey: Interoperability Key Obstacle to Value-Based Payment Models

Momentum continues to grow for value-based care as nearly three-quarters of healthcare executives report their organizations have achieved positive financial results from value-based payment programs, to date, according to a new study from the Healthcare Financial Management Association (HFMA).

Cerner, Children's National to Help UAE Pediatric Center with Health IT

Al Jalila Children's Specialty Hospital, the only pediatric hospital in the United Arab Emirates, has entered into an agreement with Washington, D.C.-based Children's National Health System to form a health IT strategic partnership.

Telemedicine Association Names New CEO

The American Telemedicine Association (ATA) has named Ann Mond Johnson its new CEO, replacing Jon Linkous who stepped down suddenly last August after 24 years as the organization’s CEO.