The Oregon Health Authority uncovered a phishing incident at Oregon State Hospital that affected one staff person’s email box. That email box contained patients’ health information protected under the Health Insurance Portability and Accountability Act (HIPAA).
The Oregon Health Authority takes the privacy and confidentiality of patient information seriously. Established information technology security processes enabled the agency to detect and contain the incident quickly and stop the unauthorized access to the affected email box. The agency cannot confirm that any patients’ personal information was copied from its email system or used inappropriately. However, it is notifying the public because protected health information was accessible to an unauthorized person or persons.
On May 6, 2019, OHA and the Enterprise Security Office Incident Response team confirmed that a breach of regulated information had occurred. A spear-phishing email was sent to an OHA Oregon State Hospital employee. The employee opened the phishing email and exposed their credentials to an outside entity.
The compromised emails contained patients’ protected health information. This information may include first and last names, dates of birth, medical record numbers, diagnoses, treatment care plans and other information used to provide treatment for patients at the psychiatric hospital. OHA’s investigation so far has not shown the email box contains any other type of protected information.
OHA is in the process of thoroughly reviewing the incident and the information involved. The agency plans to hire an external entity to perform a forensic review of the emails. This includes clarifying the number and identities of individuals whose information was compromised and the specific kinds of information involved. OHA will provide additional information and follow up with affected individuals.
The security and confidentiality of private health information is critical to the Oregon Health Authority and Oregon State Hospital. While there is no indication that any protected health information was copied from its email system or used inappropriately, Oregon State Hospital is notifying all patients that their information was potentially compromised. Once the review is complete, OHA will send individual notices to patients whose information was confirmed to be in the compromised emails.