Phishing Attack on Legacy Health Leads to Disclosure of 38,000 Patients’ PHI

August 21, 2018

Legacy Health has found an illegal person has gained access to its electronic mail system and the protected health information (PHI) of roughly 38,000 patients.
The Portland, OR-based health system manages two local hospices, four community hospices, and 70 health centers in Oregon, Southwest Washington, and the Mid-Willamette Valley and is the second biggest health organization in the Portland Metro Area.
The data break was found on June 21, 2018, even though the electronic mail accounts were first retrieved by an illegal person in May. Legacy Health concluded that access was gained to the electronic mail accounts as a consequence of workers being fooled by phishing electronic mails.
Electronic mail breaks can take a substantial amount of time to probe. While tools are available to scan electronic mail accounts for PHI, many of the electronic mails in undermined accounts must be separately checked, which can involve manual checks of hundreds of thousands of messages. As per Legacy Health Spokesperson Kelly Love, “We’ve been moving at as fast a pace as we can to be thorough and clear.”
To speed up the inquiry, Legacy Health retained a prominent computer forensics company to probe and help with the break reaction. That probe disclosed information such as names, driver’s license numbers, billing information, medical information relating to care provided at Legacy Health facilities, health insurance details, birth dates, and Social Security numbers might all have been retrieved. Legacy Health isn’t conscious of any patient information being abused.
Notices were sent to affected people on August 20 and all patients whose Social Security number or driver’s license number was disclosed have been offered credit checking facilities for 12 months without a fee.
A media notification was provided to The Oregonian and the Division of Health and Human Services has been informed inside the 60-day window allowed by the HIPAA Break Notification Law. Steps are also being taken to improve electronic mail safety and avoid any further breaks of PHI.