SALEM, OR (KPTV) – A spear-phishing incident at the Oregon State Hospital has exposed patients’ health information protected under HIPAA, Oregon Health Authority says.
OHA says established security processes allowed them to detect and contain the incident quickly and stop unauthorized access to the email box of the one Oregon State Hospital employee affected.
OHA says the employee opened a phishing email and exposed their credentials to an outside entity.
OHA and the Enterprise Security Office Incident Response team confirmed that a breach of regulated information had occurred on May 6.
The compromised emails contained patients’ protected health information, which could include medical record numbers, diagnoses, treatment care plans, and other information used to provide treatment for patients at the psychiatric hospital. OHA’s investigation so far has not shown the email box contains any other type of protected information.
OHA is in the process of reviewing the incident and the information involved and says the agency plans to hire an external entity to perform a forensic review of the emails.
OHA says while there is no indication that any protected health information was copied from its email system or used inappropriately, Oregon State Hospital is notifying all patients that their information was potentially compromised. Once the review is complete, OHA will send individual notices to patients whose information was confirmed to be in the compromised emails.
