An employee at the Colorado Mental Health Institute at Pueblo fell for a phishing scam on a state computer on Nov. 1, but an investigation has found no evidence the phishers caught any data, the state Department of Human Services said Friday afternoon.

Phishing is an internet scam that involves getting access to passwords or other entry into a computer or  network to steal money or data.

Though there was no sign that sensitive patient records were tapped, “some personal information could have been compromised,” said DHS, citing name, date of birth, Social Security number, address, phone number, insurance information, admission and discharge dates.

The patients have been directed to the three credit reporting companies for a free copy of their credit report to make sure no one uses their identity.

Though everything seems fine so far, DHS is required to disclose the breach by the Health Insurance Portability and Accountability Act, because it potentially could have exposed personal information of more than 500 patients. This case involved the records of potentially 650 patients, DHS said.

“CMHIP has taken steps to notify all individuals who may have been affected and is working with HIPAA Privacy and Security staff to create new technical safeguards, review and revise privacy policies and procedures, and institute additional training for all CMHIP staffers to further address this issue,” DHS said in a statement.