Cyber Incident Victim: Legacy Health

Legacy Health, a Portland, Oregon-based health system, experienced a data breach affecting approximately 38,000 patients following a phishing attack targeting employee email accounts. The unauthorized access to these accounts began in May 2018 and persisted for several weeks before being discovered by Legacy Health officials on June 21, 2018. Upon detection, the organization engaged a third-party forensic firm to investigate the incident. The investigation confirmed that compromised email accounts contained sensitive patient information, including demographic details, dates of birth, health insurance information, billing records, and medical data. A subset of affected individuals also had their Social Security numbers and driver’s license information exposed through the breach. Legacy Health did not disclose technical specifics regarding the number of compromised email accounts or the exact duration of unauthorized access prior to detection.

In response to the incident, Legacy Health initiated notifications to all impacted patients and offered one year of free credit monitoring services. The organization implemented additional access restrictions on email accounts to prevent similar incidents, though no further technical details about these security enhancements were provided. This breach occurred during a period when phishing attacks were identified as the predominant cybersecurity threat to healthcare organizations, with multiple major incidents reported in 2018. Notably, UnityPoint Health suffered a separate phishing-related breach affecting 1.4 million patient records earlier that year, marking its second such incident within months. Legacy Health’s breach disclosure occurred on August 20, 2018, nearly two months after the initial discovery, as part of their compliance with notification requirements. The health system did not report evidence of actual misuse of patient data or disclose whether the attackers exfiltrated information beyond accessing the email accounts.