[BreachExchange] Legacy Health email breach exposes 38, 000 patients' information

[Destry Winant]

https://www.oregonlive.com/business/index.ssf/2018/08/legacy_health_email_breach_mig.html

About 38,000 Legacy Health patients' personal, medical or billing
information might have been accessed in a May email breach, the health
system said Monday.

The Portland-based nonprofit health system said someone accessed
multiple employees' email accounts, some of which contained patient
information. The breach was not discovered until June 21 and not
publicly disclosed until Monday, as the health moved to establish a
hotline and contact affected patients.

"We've been moving at as fast a pace as we can to be thorough and
clear," said Kelly Love, a Legacy spokeswoman.

The information potentially exposed includes patients' names, dates of
birth, health insurance information, billing information, medical
information regarding care they received at Legacy, social security
numbers and driver's license information.

Legacy, which operates six hospitals and 70 clinics in Oregon and
southwest Washington, said it has hired a firm to investigate the
breach and will send notification letters to patients whose
information might have been disclosed. Not all of the system's
patients are affected by the breach.

The health system said found no indication the information had been
misused, but it is offering free credit monitoring to patients whose
social security numbers were exposed.

It also said it's implementing new policies to prevent future
breaches, but did not elaborate.

Patients with questions can call 888-277-6762 between 6 a.m. and 5
p.m. Monday through Friday.

Federal officials have closely scrutinized previous breaches of
patient privacy, which could violate federal laws restricting release
of medical information. Oregon Health & Science University in 2016
agreed to pay federal authorities $2.7 million and enact a corrective
action plan for a pair of 2013 data breaches that exposed information
about than 7,000 patients.