Oregon State Hospital and New York Episcopal Health Services Report Phishing Attacks

Oregon State Hospital has announced that the protected health information (PHI) of some of its patients was potentially compromised as a result of an employee being duped by a spear phishing email.

The email was received on May 3 and the employee responded on May 6. The response resulted in the disclosure of email login credentials.

The unauthorized access was detected quickly, and steps were rapidly taken to secure the account. The employee responded to the message at 9:50 AM and Oregon State Hospital’s IT team detected the breach at 10:30 AM and secured the account. The limited time the attacker had access to the account reduced the potential for any information in emails and email attachments to be viewed or copied.

Currently, Oregon State Hospital is unaware whether the attacker gained access to patients protected health information during the 40 minutes that the account was accessible, and the hospital has yet to determine which patients have been affected.

A third-party cybersecurity company has been hired to conduct an analysis of the compromised account to determine which patients’ PHI has been exposed. The hospital expects that process to take around 4-6 weeks. Once the affected patients have been identified, notifications will be sent.

The hospital has confirmed that the email account contained patient information such as full names, dates of birth, medical record numbers, diagnoses, and treatment plans.

Phishing attacks cannot always be prevented but rapid detection and a prompt breach response can limit the harm caused. The hospital should be commended for both the rapid detection of the breach and the early media notice, which was issued just a week after the breach was experienced.

Episcopal Health Services Issues Further Notifications About 2018 Phishing Attack

Episcopal Health Services, which operates St. John’s Episcopal Hospital in New York, has issued a second batch of notifications to patients who were recently discovered to have been impacted by a 2018 phishing attack.

Episcopal Health Services was alerted to a potential phishing attack when suspicious activity was detected within several employee email accounts in September 2018. An investigation was launched to determine the cause of that suspicious activity, which revealed several email accounts had been subjected to unauthorized access as a result of responses to phishing emails.

The investigation confirmed that the accounts had been breached between August 28, 2018 and October 5, 2018. Those accounts were reviewed to determine whether they contained patient information. Episcopal Health Services determined on November 1, 2018, that some patients’ PHI had been exposed and on November 15, individuals for whom a valid postal address was held were sent notification letters.

The exposed information varied from individual to individual and may have included names, dates of birth, financial information, Social Security numbers, medical record numbers, diagnoses, medical histories, prescription information, treatment information, and health insurance information.

The compromised email accounts continued to be reviewed to determine whether they contained protected health information and on March 19, 2019, a second round of notification letters were sent to patients who were also discovered to have been affected by the breach.

Individuals whose PHI has been exposed have been offered complimentary credit monitoring and identity theft protection services for 12 months.

The breach report submitted to the HHS’ Office for Civil Rights on November 19, 2018 indicates 218,055 individuals were impacted by the phishing attacks.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.