[BreachExchange] Oregon State Hospital data breach may have compromised patient information

Destry Winant destry at riskbasedsecurity.com
Wed May 15 10:09:40 EDT 2019


https://www.statesmanjournal.com/story/news/2019/05/13/oregon-state-hospital-data-breach-compromises-patient-information-salem/1193386001/

Patients' health information may have been compromised after a
spear-phishing email was sent to an Oregon State Hospital employee on
May 3.

Oregon Health Authority officials said patients' information — first
and last names, dates of birth, medical record numbers, diagnoses,
treatment care plans — were exposed after the employee opened the
message.

Officials can't confirm, however, if the information was copied or
used "inappropriately," according to a release from OHA.

Spear-phishing is an online attack in attempts to steal sensitive
information. The attacker usually targets one person and disguises
themselves as someone the victim knows, according to Rebeka
Gipson-King, Oregon State Hospital relations director.

The employee opened the email around 9:50 a.m. on May 6 and clicked on
a link which prompted them to type their login information, allowing
the suspect to gain access, Gipson-King said.

OHA's information technology security detected the breach around 10:30
a.m. and stopped access to the employee's inbox, Gipson-King said.

The breach was reported to Oregon State Police, but aside from an IP
address, the suspect's identity is unknown.

The agency doesn't know how many patients were affected or what the
suspect did with the information, she said.

OHA will hire an external agency to examine the emails and clarify the
identity and number of patients affected — as well as the specific
information compromised.

It should take about four to six weeks to get more information.

OHA will send out an email to all patients whose information was
potentially compromised. When the review is complete, OHA plans to
send individual notices to affected patients.

State hospital employees receive health information security training
on how to avoid phishing scams, Gipson-King said. The agency learns
how to make systems more secure after phishing incidents happen.

Oregon State Hospital provides psychiatric treatment for adults from
throughout the state who need hospital-level care, according to the
hospital's website. There is an average of 615 patients at the Salem
and Junction City campuses.


More information about the BreachExchange mailing list