About FlashAlert on Twitter:
FlashAlert utilizes the free service Twitter to distribute emergency text messages. While you are welcome to register your cell phone text message address directly into the FlashAlert system, we recommend that you simply "follow" the FlashAlert account for Oregon Health Authority by clicking on the link below and logging in to (or creating) your free Twitter account. Twitter sends messages out exceptionally fast thanks to arrangements they have made with the cell phone companies.
Click here to add Oregon Health Authority to your Twitter account or create one.
@OHAOregon
May 13, 2019
Media contact: Rebeka Gipson-King, 503-756-0366, rebeka.gipson-king@dhsoha.state.or.us
Oregon Health Authority notifies public of data breach at Oregon State Hospital
SALEM, Ore. — The Oregon Health Authority uncovered a phishing incident at Oregon State Hospital that affected one staff person’s email box. That email box contained patients’ health information protected under the Health Insurance Portability and Accountability Act (HIPAA).
The Oregon Health Authority takes the privacy and confidentiality of patient information seriously. Established information technology security processes enabled the agency to detect and contain the incident quickly and stop the unauthorized access to the affected email box. The agency cannot confirm that any patients’ personal information was copied from its email system or used inappropriately. However, it is notifying the public because protected health information was accessible to an unauthorized person or persons.
What happened?
On May 6, 2019, OHA and the Enterprise Security Office Incident Response team confirmed that a breach of regulated information had occurred. A spear-phishing email was sent to an OHA Oregon State Hospital employee. The employee opened the phishing email and exposed their credentials to an outside entity.
What information was involved?
The compromised emails contained patients’ protected health information. This information may include first and last names, dates of birth, medical record numbers, diagnoses, treatment care plans and other information used to provide treatment for patients at the psychiatric hospital. OHA’s investigation so far has not shown the email box contains any other type of protected information.
What is the Oregon Health Authority doing?
OHA is in the process of thoroughly reviewing the incident and the information involved. The agency plans to hire an external entity to perform a forensic review of the emails. This includes clarifying the number and identities of individuals whose information was compromised and the specific kinds of information involved. OHA will provide additional information and follow up with affected individuals.
The security and confidentiality of private health information is critical to the Oregon Health Authority and Oregon State Hospital. While there is no indication that any protected health information was copied from its email system or used inappropriately, Oregon State Hospital is notifying all patients that their information was potentially compromised. Once the review is complete, OHA will send individual notices to patients whose information was confirmed to be in the compromised emails.
# # #