Colorado

In Colorado, data breaches are defined as the unauthorized attainment of covered information, entailing compromise of security or confidentiality. That excludes good faith acquisition employees or clientele. Colorado's data breach regulations apply to every entity or individual dealing directly with protected information. Encrypted information whose key was not accessed is exempt from the law. Unfortunately, Colorado ranks high in terms of number of victims per state in the country at 14. The losses in 2022 in Colorado totaled more than $178 million. The most common data breaches within the state are stolen identities, malware, ransomware, and hacking. Government institutions, tech, and healthcare organizations are the primary targets within the state.

Identity Theft Statistics

Identity Theft
Reports
27TH
State Rank (Reports per 100K Population)
6,272
Identity Theft Reports
Fraud & Other
Reports
8TH
State Rank (Reports per 100K Population)
38,303
Total Fraud & Other Reports
Fraud
Losses
$28.7M
Total Fraud Losses
$303
Median Fraud Losses

Top Ten Report Categories

Imposter Scams
22%
Identity Theft
14%
Telephone and Mobile Services
7%
Online Shopping and Negative Reviews
6%
Banks and Lenders
5%
Auto Related
4%
Credit Bureaus, Iformation Furnishers and Report Users
4%
Prizes, Sweepstakes and Lotteries
4%
Debt Collection
4%
Internet Services
3%

Top Identity Theft Types

34%
4,292
Credit Card Fraud
19%
2,329
Other Identity Theft
17%
2,105
Bank Fraud
11%
1,342
Employment or Tax-Related Fraud
9%
1,188
Loan or Lease Fraud
6%
791
Phone or Utilities Fraud
4%
534
Government Documents or Benefits Fraud

Colorado's Recent Biggest Data Breaches

2023
October

PeakMed Colorado

PeakMed Colorado filed a notice of a data breach in October 2023. They explained that it occurred because of an unauthorized party accessing customer information. PeakMed responded by resetting all employee passwords and initiated an investigation. The investigation showed that an employee's credentials were compromised, and a party logged into the system between July 24 and August 30, 2023. Though the information type that was infiltrated varies, it may have included names, addresses, birth dates, driver's license numbers, Social Security, financial account information, medical data, and health insurance details. The company also sent out letters to those affected by the event.

2023
July

Welltok Data breach

Welltok is a Denver-based patient engagement organization whose networks were breached following the MOVEit transfer tool issue. This data breach event occurred in July 2023. The number of people affected by the breach totaled more than 8.4 million. A documentation review confirmed that the members' data, including names, birth dates, health information, and addresses, was compromised. Their Social Security numbers and Medicaid identification numbers were also acquired. The organization also implemented a substitute breach notification to its website, though it would only be found in individuals who visited it.

2023
June

Colorado Department of Higher Education Data Breach

In June 2023, the Colorado Department of Higher Education indicated that it was the victim of a ransomware incident. Following the attack, the organization took steps to secure its network. They also collaborated with third-party specialists to investigate the incident. The information compromised included Social Security numbers, dates of birth, health information, and other demographic information. In August 2023, the Colorado HCPF sent data breach letters to those affected. These letters were given to individuals affected by the recent incident as a protective measure to ensure their data was not compromised.

2023
May

Colorado Department of Health Care Policy and Financing Data Breach

In May 2023, Progress Software found an issue that affected the MOVEit Transfer application. Though the Department of Health Care Policy and Financing confirmed that none of its systems were concerned, the initial investigation found that certain HCPF documents involved in the MOVEit app were accessed by an unauthorized party in May 2023. The information for specific individuals entailed names, home addresses, birth dates, home addresses, Medicaid ID numbers, and other demographics. HCPF declared that they take information security seriously and apologized for any inconveniences that may have occurred.

2021
July

Sound Generations Data Breach

Sound Generations, a Department of Human Services Vendor, advised the Department that they had experienced a breach following an unauthorized party gaining access to their systems in July 2021. Sound Generations severed the access and commenced an investigation to ascertain the level of the breach. The vendor also confirmed that the incident affected some of the customer information. They indicated no reason to believe there was information misuse concerning the impacted personnel. Sound Generations also provided notice of the occurrence to clientele and the potentially affected. It is estimated the incident affected more than 103,000 people. The organization also advocated that those affected regularly check for suspicious activity on their accounts, such as unauthorized transactions in the following year.

What Should You Do if You Are in a Breach?

Unfortunately, data breaches are pretty common now, considering our online connections and dependence on digital service delivery. Criminals work in the shadows to steal your personal information, so sometimes, it's only when you notice certain signs that ongoing fraud becomes apparent. These danger signs apply to both individuals and businesses.

Unfamiliar
Credit Card Charges

If you find unauthorized transactions on your credit card, there is a significant possibility your phone number, email address, or card number has been compromised.

Calls from
Debt Collectors

Phone calls or letters from collection agencies seeking debt payment for a loan you do not remember taking are also signs of identity theft.

New Credit Cards
or Loans in Your Name

A new line of credit in your name or a loan taken is a warning sign you are a victim of identity theft.

Surprise Credit
Score Drops

Sudden credit drops with no obvious cause are a sign of suspicious activities.

Unusual Activity on Your
Social Security Account

The federal government also considers social security numbers personal identifiers, so check your social security statement regularly to ensure no one has access to benefits without consent.

Inability to
Sign-in to Accounts

If you are locked out of the account, it is usually because someone has hacked into it and changed the password. You should immediately try all possible recovery options and contact customer support if all fails.

Step-by-Step Process for Responding to a Data Breach

01

Contact Local Law Enforcement

As an individual or a business, report the incident to the police and file a police report.

02

Assess and Secure Compromised Areas

Identify which aspects of your information have been affected, such as emails, passwords, credit card numbers, social security numbers, full names, and phone numbers.

03

Contain the Breach

Isolate the affected system to prevent further damage.

04

Create New, Strong Passwords for All Accounts

This may involve changing usernames and passwords for compromised platforms, using strong passwords with a mix of upper and lower-case letters, digits, and special characters.

05

Notify Affected Institutions

Inform your bank, credit card companies, and other affected institutions. Request they close or freeze any accounts that may be implicated in the breach to reduce financial risk.

06

Update Security on Digital Accounts

Change passwords for all accounts affected by the breach. Make sure each password is totally unique, and you use two-factor verification as an additional layer of security.

07

Check for Malware

Examine your computers and mobile devices for installed malware. Install robust antivirus software to detect and remove any viruses or malicious software.

08

Freeze Your Credit

In cases of identity theft, contact all credit bureaus to freeze your credit.

09

Monitor Your Mail and Credit Reports

Keep an eye out for any unauthorized changes in your mail.

10

Engage Legal Assistance When Applicable

If you are a business, consider hiring a law firm experienced in handling data breaches.

Responsibilities of Companies that Have Been Breached

Businesses in Colorado that have experienced a breach must notify individuals whose information has been compromised. They are required to do so via verified methods such as email notifications, telephone, and written notices. If the data breaches affect 500 or more people, the business must notify the attorney general.

According to Colorado statutes, should the breach concern more than 100 residents' information, it also has to notify consumer reporting agencies like Transunion or Equifax. On the notification, the business entity has to specify a description of the info that was infiltrated, contact data, the estimated date of the breach, and a statement that the resident could get information from the credit reporting agencies concerning security alerts. Businesses must also direct their residents to protect their online accounts by changing their credentials. When notifying the Colorado attorney general, companies must use the Data Breach notification form. When reporting to credit reporting agencies, the business must also give the date all residents were notified.

Laws

  • Colorado statute. Rev. Stat. § 6-1-716 deals with defining personal information and data breaches. It also covers the notification obligation and requirements before alerting the attorney general as well as the consumer.
  • Colorado Revised Statutes Title 6. Consumer and Commercial Affairs § 6-1-716 handles the meaning of personalized information and the disclosure of breach regulations. It also covers all state procedures deemed to comply with the notice requirements.
  • The Colorado Privacy Act (CPA) gives consumers rights concerning their data, including viewing, deleting, or altering their personal data. All state residents have the right to get this information in a portable and ready-to-use format. Thus, controllers have to give consumers free of charge information for their first request.

Resources