Long: CDPHE recognized by governor’s award for statewide ‘phishing scam’

Author: Pam Long - January 31, 2017 - Updated: January 28, 2017

Pam Long
Pam Long

‘The public should be appalled at this award’

On January 24, 2017, Gov. John Hickenlooper recognized the Colorado Department of Public Health and Environment with a Governor’s Elevation Award for enhancing a database that tracks the public’s private medical information without their knowledge with a long list of undisclosed entities. Specifically, CDPHE was honored for enhancing data sharing of immunization records within a state registry known as the Colorado Immunizations Information Systems (CIIS). Here are seven reasons the public should be appalled at this award.

1. Doctors and nurses are not required to tell parents that their child’s immunization records are added to the state immunization registry, CIIS. People and their records are added to the registry at creation of the birth certificate, when vaccines are given, and at schools and daycares when records are collected. It is an opt-out system, meaning a parent has to know that the registry exists and opt-out, instead of opting-in under transparency. Parents are not required by law to share their children’s private medical information with the state, so an opt-out system circumvents consent.

2. The CIIS system has a primary function as an inventory and product re-ordering system for vaccine providers. This million-dollar annual expense to taxpayers supports a highly profitable vaccine industry. No other for-profit industry has a state funded record keeping software.

3. A 2015 Economic Review of IIS (Patel et al) found no actual benefit to public health measured by reduced morbidity and mortality, at the cost of $2.4 million to $7 million dollars over five years to the state. [1] A 2015 Systematic Review of IIS (Groom et al) found that IIS had no performance measures or deliverables for public health, and practices using IIS did not have significantly higher vaccination rates than those practices not using an IIS.

4. The CIIS system uses the data to activate a reminder-recall-home visit program to increase vaccine uptake. [2] If a parent opts a child out of a vaccine, such as the controversial HPV vaccine for a sexually transmitted disease, the parent could be harassed by the state for their choice for their child. The database is loaded with Personally Identifying Information (PII) to include addresses.

5. CIIS creates a targeted population registry at the state level that interfaces with the CDC’s Vaccine and Tracking System at the federal level. [3] According to the IIS Strategic Plan Executive Summary from the CDC, the end goal is “Real time, consolidated immunization data and services for all ages are available for authorized clinical, administrative, and public health users, and consumers, anytime and anywhere.” There are no protections in Colorado law for citizens, both adults and children, from CDPHE utilizing CIIS data to restrict attendance at school or work, or travel for people who opt out of some vaccines or boosters every 10 years.

6. Schools are required to protect the privacy of vaccine records as part of all student records under the federal law of FERPA, so an automated system to collect immunization records from the schools is in a posture to violate federal law and phishing for private medical information. FERPA requires that schools and daycares can only release student records if parents have given prior written consent for the specific record and to the specific agency.

7. In 2016, CDPHE implemented a new online vaccine exemption form for schools that feeds PII directly into CIIS. However, Colorado statute only requires a parent to submit a “statement of exemption” to the school for any of the 70 doses on the current U.S. vaccine schedule. Statute does not require that a parent submit a form to the state for inclusion in a registry. CDPHE does not have authority in legislation, nor did it follow the public rule making process to implement this form. The new exemption form is currently pending judicial review in Douglas County for legality.

Our state lawmakers are currently desperately looking for money to improve roads and schools. The people of Colorado would like to give a “High Impact Performance Award” for the lawmaker who can lead the legislative effort to defund CIIS in the state budget, and direct those millions of dollars to something that actually works for the public, and not against the public.

[1] http://www.thecommunityguide.org/vaccines/imminfosystems.html

[2] http://www.thecommunityguide.org/vaccines/homevisits.html

[3] http://www.cdc.gov/vaccines/recs/reminder-sys.htm

Pam Long

Pam Long is a graduate of the United States Military Academy, and a former Army Medical Service Corps Officer where she worked in emergency medical treatment in peacekeeping task forces and commanded a medevac headquarters company. She holds a board certification in behavioral psychology. She currently consults with health advocacy groups at the local and state level.


  • Kathy Sincere

    January 31, 2017 at 10:11 am

    Ms. Long has again hit the CDPHE nail on the head. This is truly a Colorado agency gone rogue. As Ms. Long sagely noted in a previous Statesman article, this out-of-control agency merits “an oversight committee to police the CDPHE in 2017” – NOT an award from the Governor! Over the years, CDPHE has consistently acted beyond legislative authority. HB16-1164 was defeated in the House last year because it was in clear violation of the Family Educational Rights and Privacy Act. Yet CDPHE still proceeds as if HB16-1164 did pass and is law. While CDPHE violates FERPA on a daily basis and conducts a statewide phishing scam of private medical information, they are given a “get out of jail” card from our Governor and an award to boot!

  • Sharon Anable

    January 31, 2017 at 10:20 am

    So I wonder how much this “award” costs the taxpayer for the Governor to basically pat himself on the back? Even $1 is $1 too much and a waste of taxpayer dollars.

  • Brandon B

    January 31, 2017 at 5:15 pm

    Ms. Long has created a long list of misleading and incorrect information. The links she provides do not say what she summarized. The award was for helping health care providers, and making sure health information is available. Many other systems are doing this same work. Ms Long seems to have no idea why access to information is critical to improve health care. Why this is published as if it is true is unclear to me. Most of what she states is incorrect – and some is opinion which she is certainly entitled to. It should just be clear that it is not fact.

    • Kathy Sincere

      January 31, 2017 at 7:31 pm

      Brandon B –

      “It should just be clear that it is not fact”. If you are calling someone out on facts, be factual yourself. Specifically, show what is “opinion”. Ms. Long’s facts are as clear as day. Spot on. Not “alternative facts” such as you are providing.

      CDPHE data mines personal health information without consent and shares that information not only with other government agencies but also with private insurers. Just another government agency that instills public distrust, and rightly so.

    • Candace

      January 31, 2017 at 8:31 pm

      Brandon, you have to be awfully dimwitted not to see the dangers in an opt-out database such as this. I am a parent to a fully vaccinated child, so my concern with this database is not related to the vax vs. non-vax debate.

      If you look at this opt-out form, https://www.colorado.gov/pacific/sites/default/files/PW_CIIS_Opt-Out-Form-English.pdf, you can see the groups and organizations who will have access to each individual’s personal identifying information. There are potentially thousands of people in the state who can access your/your child’s information “with the touch of a button.” You honestly believe these people are 100% trustworthy with all this PII. What is more, these types of databases fall prey to hackers all the time.

      This opt-out form should be an opt-in form. You say this database is an improvement to health care, but the choice to participate has been robbed from the American citizen. Parents across the state should be informed that their child’s/children’s PII will be in such a vulnerable database and then given the option to decide whether or not to be in it. A child is automatically listed in the database as soon as they are issued a birth certificate. This is an extreme encroachment on an American’s civil liberties and CDPHE needs to me put in check.

    • Erika R.

      February 1, 2017 at 8:41 am

      You must not have been present at the rules hearings on this matter at the CDPHE that followed the passage of HB-1288, or you would realize that Ms. Long’s report is, indeed, fact. The CDPHE is violating privacy laws, and they feel they are justified in circ circumventing the laws on the books of the State of Colorado and your rights, “because they can.”

  • J Martin

    January 31, 2017 at 8:59 pm

    As a parent of an elementary child, and having recently moved into this state, I have been appalled by CDPHE’s actions this last year. CDPHE is an agency that should carry parents’ trust not take actions against our rights. Their dishonesty and total disregard of my parental rights and my child’s privacy are abhorrent! I am finding I can not trust the CDPHE and apparently I shall remain skeptical of our Governor’s actions as well. BOO!, Colorado state!


    February 1, 2017 at 7:28 am

    She needs to be shown the door and everyone associated with her.

  • H.C

    February 4, 2017 at 6:49 am

    CDPHE is completely out of control and needs to be put in check. Taxpayers lose as
    CDPHE promotes personal agendas.

  • paula rhoads

    February 15, 2017 at 12:24 pm

    While you are collecting healthcare data, I would like to know how many claimants for work comp benefits have been sent to prison using the bribe, er, “financial incentive” of C.R.S. 8-42-113 per year, for the last 20 years, what their names are, outcomes, and who took these bribes to stab injured workers in the back. As colorado’s solitary has recently released about 1,500 people with brain injuries, the cost to the public at $37000 per person per year is $55.5 million. That statute accomplishes the exact opposite of what workers comp is supposed to do. Journalists?

  • paula rhoads

    February 15, 2017 at 12:29 pm

    Also would like to know if there have been any prosecutions of employers/insurance companies for workers comp fraud against employee claimants in Colorado in the last 20 years? I’m guessing no. Pinnacol has purchased our elected attorney general thus entirely usurping a whore. So there is no one prosecuting employers for such fraud. Also nobody enforcing the law requiring work comp insurance in force.

  • Y

    February 23, 2017 at 9:17 pm

    Let me begin by stating that I think it’s entirely legitimate to debate the value of sharing information for public health purposes verse the risks to our privacy. However, I would recommend that the next time you write an opinion piece, you don’t quote articles if someone can easily prove that you have misrepresented those articles.

    Regarding point #3:

    The article you referenced from Patel et al states “No studies evaluated economic benefits that result from reduced morbidity and mortality from Vaccine Preventable Diseases”. It is disingenuous to claim that there was “no actual benefit”, as opposed to when there were no studies that evaluated the benefits.

    The review from Groom et al concludes “The studies included in this review provide evidence that IISs are effective in improving vaccination-related activities linked to increased vaccination rates and reduced risk for vaccine-preventable disease.” You cherry picked one statement out of the article referencing one study which did not show a difference in vaccination rates between practices using IIS vs those not using IIS – however, this study was judged as “of least suitable design”.

    I fully support backing opinions with facts. Just be sure that next time, you find articles which support your position.

  • Tami

    March 7, 2017 at 11:57 am

    As a Pediatrician, I cannot overstate how valuable the CIIS system is to help us as providers keep our patients up-to-date with their vaccines and to help ensure that the vaccines are given at the appropriate times and not too early. This system DOES NOT function as simply a tool for inventory and re-ordering and, in fact, has no functionality in that arena.

    We use CIIS on a daily basis to help keep our community safe and healthy and we need to continue its funding.

  • Brenna

    March 10, 2017 at 2:06 pm

    I beleive that it is the right of the parent, not the pediatrician to decide what is best for their child. The CIIS system would infringe on our privacy rights.

  • Marrin

    March 15, 2017 at 11:53 am

    Invasion of privacy – pure and simple

Comments are closed.