Legacy Health Phishing Attack Exposed 38,000 Patients’ PHI

Legacy Health has discovered an unauthorized individual has accessed its email system and potentially viewed and copied the protected health information (PHI) of around 38,000 patients.

The Portland, OR-based health system runs two regional hospitals, 70 clinics, and four community hospitals in Oregon, Southwest Washington, and the Mid-Willamette Valley. Legacy Health is the second biggest health system operating in the Portland Metro Area.

The data breach was discovered on June 21, 2018, although the investigation into the breach determined that email accounts were first accessed by the attacker in May. Legacy Health stated that access to the email accounts was gained when some of its staff members responded to phishing emails and disclosed their login credentials.

Tools are available to scan email accounts for PHI; however, many emails in compromised accounts must be individually checked. When multiple email accounts are compromised, each of which can contain many thousands of messages, it can take many weeks to determine what information has potentially been accessed and the individuals affected. Legacy Health Spokesperson Kelly Love explained that the health system is moving at as quickly as possible with the investigation.

Legacy Health did retain the services of a computer forensics firm to help investigate the breach. According to the investigators, information such as names, birth dates, health insurance details, medical information, billing details, driver’s license numbers and Social Security numbers may all have been accessed. Legacy Health isn’t aware of any patient information being used for malicious purposes.

Legacy Health sent notifications to affected people on August 20 and patients who had their driver’s license number or Social Security number exposed were offered credit monitoring services for 12 months at no cost. Legacy Health has already taken steps to improve email security and prevent further PHI breaches.

The Department of Health and Human Services has been notified and a breach report has been released to the media.