I realize that some will fault the entity for making early notification before they have all the facts, but my hat is off to the Oregon Health Authority (OHA). On May 6, they suffered – and quickly stopped – a successful spear-phishing attack that gave the attacker access to one employee’s mail account. That account held protected health information on patients in the state psychiatric hospital (Oregon State Hospital).
Uncertain as to exactly who had ePHI in that account and unsure whether any of the data was even accessed or copied, OHA notified state attorneys general and provided a media notice to let people know what had happened and that they would be bringing in experts to help them determine exactly who had ePHI in the mail account and whether it was accessed.
According to their media notice, the compromised emails contained patients’:
first and last names, dates of birth, medical record numbers, diagnoses, treatment care plans and other information used to provide treatment for patients at the psychiatric hospital.
OHA indicates that they will provide additional information and follow up with affected individuals.
While there is no indication that any protected health information was copied from its email system or used inappropriately, Oregon State Hospital is notifying all patients that their information was potentially compromised. Once the review is complete, OHA will send individual notices to patients whose information was confirmed to be in the compromised emails.
According to its site, OSH serves 1,400 people per year.
Their notification really does impress me. They caught the unauthorized access quickly and stopped it quickly, and within 4 days, had notified states and issued a media release. Yes, there’s a lot we don’t know yet, but this is some great transparency that they are demonstrating.
As a trivia side note: the film “One Flew Over the Cuckoo’s Nest” was filmed at the Oregon State Hospital in the 1970’s.