Legacy Health, a non-profit hospital system based in Portland, Oregon, has recently announced that approximately 38,000 of their patients have had their protected health information (PHI) compromised in a recent data breach. The breach was announced after workers at the facility discovered that an unauthorized individual has gained access to its email system, and used this to collect the information on the clinic’s patients.
Legacy Health operates two regional hospitals, four community hospitals, and over 70 clinics in Oregon. The organisation recently expanded its operations to Southwest Washington, and the Mid-Willamette Valley. The healthcare system employees over 10,000 staff members, and is the second largest health system in the Portland Metro Area.
The data breach was discovered by staff on June 21, 2018. An investigation was quickly launched, and it was discovered by investigators that the email accounts were first accessed May. It was determined that a phishing scheme was employed by a hacker to gain access to the system. An unspecified number of employees fell for a phishing email that was sent to employees of Legacy Health.
The healthcare industry has faced a recent epidemic of hackers breaking into their systems to gain access to PHI of thousands, or in some cases, millions of patients. PHI has enormous black market value; an age-old incentive for individuals with easy access to it.
HIPAA stipulates that covered entities must both limit the opportunity for individuals to steal patient data, and for systems and policies to be put in place to enable improper access and theft of PHI to be rapidly identified.
The investigation into the breach is a long and tiresome process. While there exists software which is designed to scan email accounts for protected health information to estimate how much data may have been stolen, many of the emails in compromised accounts need to be individually checked. This leaves investigators sifting through hundreds of thousands of emails, of which only a handful will be useful. When questioned about the scale of the incident and the progress of the investigation, Legacy Health Spokesperson Kelly Love, “We’ve been moving at as fast a pace as we can to be thorough and clear.”
Legacy Health hired a third party to assist with the investigation due to its scale and significant importance. A leading computer forensics firm twas brought in to assist with the investigation and with the breach response. It was determined that information such as names, birth dates, health insurance details, medical information relating to care provided at Legacy Health facilities, billing information, Driver’s license numbers and Social Security numbers may all have been accessed by the hacker. However, Legacy Health said that they have yet to find any evidence that any of the patient information had been used for malicious purposes.
In accordance with HIPAA’s Breach Notification Rules, notifications were sent to those who had been identified as being affected by the breach on August 20. Any patient whose driver’s license number or Social Security number was exposed have been offered credit monitoring services for 12 months without charge.
Due to the large size of the breach, a media notice was provided to The Oregonian, a local newspaper, in accordance with the Breach Notification Rules. The Department of Health and Human Services has been notified inside the 60-day window as required by HIPAA. Steps are also being taken to improve email security and prevent any further breaches of PHI.