Legacy Health Phishing Attack Exposed 38,000 Patients’ PHI

Legacy Health has discovered an unauthorized individual has accessed its email system and potentially viewed and copied the protected health information (PHI) of around 38,000 patients.

The Portland, OR-based health system runs two regional hospitals, 70 clinics, and four community hospitals in Oregon, Southwest Washington, and the Mid-Willamette Valley. Legacy Health is the second biggest health system operating in the Portland Metro Area.

The data breach was discovered on June 21, 2018, although the investigation into the breach determined that email accounts were first accessed by the attacker in May. Legacy Health stated that access to the email accounts was gained when some of its staff members responded to phishing emails and disclosed their login credentials.

Tools are available to scan email accounts for PHI; however, many emails in compromised accounts must be individually checked. When multiple email accounts are compromised, each of which can contain many thousands of messages, it can take many weeks to determine what information has potentially been accessed and the individuals affected. Legacy Health Spokesperson Kelly Love explained that the health system is moving at as quickly as possible with the investigation.

Legacy Health did retain the services of a computer forensics firm to help investigate the breach. According to the investigators, information such as names, birth dates, health insurance details, medical information, billing details, driver’s license numbers and Social Security numbers may all have been accessed. Legacy Health isn’t aware of any patient information being used for malicious purposes.

Legacy Health sent notifications to affected people on August 20 and patients who had their driver’s license number or Social Security number exposed were offered credit monitoring services for 12 months at no cost. Legacy Health has already taken steps to improve email security and prevent further PHI breaches.


Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

The Department of Health and Human Services has been notified and a breach report has been released to the media.

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/