Oregon State Hospital is preparing to notify patients that their protected health information (PHI) may have been compromised due to an employee responding to a phishing email.
The phishing attack was discovered at 10:30 AM on May 6, 2019, merely 40 minutes after the employee responded to the hacker’s email. The IT staff immediately took steps to secure the account. Due to the short timeframe in which the hacker could have accessed the information stored in the email account, it is unlikely that the hacker had time to access and download the PHI.
However, the possibility can not be ruled out, and Oregon State Hospital is as of yet unaware whether the attacker gained access to PHI. An investigation is underway in conjunction with a third-party cybersecurity company to determine which patients may have been affected by the breach. The hospital expects that process to take around 4-6 weeks. Once the affected patients have been identified, notifications will be sent.
The hospital has confirmed that the email account contained patient information such as full names, dates of birth, medical record numbers, diagnoses, and treatment plans.
Oregon State Hospital should be commended for its rapid response to the phishing attack. Even using the most sophisticated spam filters and email solutions, it is difficult to eliminate the risk of a phishing attack. Oregon State has shown that even if an employee is duped by a phishing email, the harmful consequences of the breach can be mitigated by having a quick and effective response plan in place.