Oregon Health Authority (OHA) recently notified the public of a successful spear-phishing attempt.

What happened?

A spear-phishing email was sent to an OHA Oregon State Hospital employee in the beginning of May.  On May 6, 2019, the employee opened the email and provided credential information to their email account, thus making the spear-phishing attempt successful.

What is spear-phishing?

Spear-phishing is the practice of sending emails from what seem to be known or trusted senders to entice the target to reveal confidential information, such as access credentials.

With an outside party having access to the employee’s email account, the outside party would have access to all emails.  Within health care, emails can contain a lot of Protected Health Information (PHI) such as names, dates of birth, social security numbers, addresses, reasons for visits, etc.

Was PHI accessed?

While the employee opened the email at 9:50 a.m., the IT team detected the breach around 10:30 a.m. This gave the outside party up to 40 minutes to gain access to anything in the email account.  So far, the IT team has not seen evidence that the information was accessed.  However, OHA is planning to retain a company that can review the incident to determine if information was truly accessed or not.

What can we learn here?

The response time for OHA’s IT team was great.  There are many stories out there about breaches that went unnoticed for years. By uncovering the issue quickly, the IT team limited the amount of time that the outside party had access to the emails, thereby limiting the amount of information they could gather.

OHA will send out emails to patients who were potentially affected.  After the review is completed, OHA will send out individual emails to those who were truly affected.  State hospital employees receive training on how to avoid these types of scams, but the malicious actors are always working hard to make their attacks look like a real email.  Continual training is a must for any organization that uses email.

To learn about other ways you can train your employees and stay up-to-date with HIPAA compliance, join HIPAAgps today.  We even offer a 7-day risk-free trial, so you can experience our simple, effective solution before you join. Contact us today if you’d like more information.