Oregon State Hospital made an announcement about a phishing attack. An employee of Oregon State Hospital was tricked into responding to a spear phishing email resulting to the potential compromise of the protected health information (PHI) of some patients. The employee received the phishing email on May 3 and responded to it on May 6. Consequently, the employee’s email login credentials was disclosed to the attacker.
Oregon State Hospital detected the unauthorized access promptly and took steps to quickly secure the employee’s email account. The employee took action on the phishing email at 9:50 AM and the hospital’s IT team became aware of the breach at 10:30 AM. Because of securing the account immediately, the attacker had limited time to access the account lowering the potential for viewing or copying any of the information contained in the email messages and attachments.
At present, Oregon State Hospital is not aware if the attacker indeed accessed the PHI of patients when the account was accessible for 40 minutes. The hospital still has not determined who are the patients affected by the breach.
A third-party cybersecurity firm was called in to perform a review of the compromised email account and find out whose PHI were potentially exposed. The hospital is expecting that the review process would take about 4-6 weeks. As soon as Oregon State Hospital has the identified patients affected by the breach, they will issued breach notifications.
The hospital has affirmed that the following patient information were contained in the email account: full names, birth dates, treatment plans, medical record numbers and diagnoses.
It is not possible to stop phishing attacks at all times. However, detecting breaches quickly and responding to it promptly can reduce the potential damage. The hospital ought to be commended for quickly detecting the breach and giving early media notice as well. The media notice was given one week after the breach occurred.