Cyber Incident Victim: Oregon Health Authority
Date:
May 2019
Location:
United States of America
Summary
The Oregon Health Authority experienced a spear-phishing attack resulting in unauthorized access to an employee's email account containing protected health information of patients at a state psychiatric hospital. The compromised data included names, birth dates, medical record numbers, diagnoses, treatment plans, and other clinical details. The organization halted the breach promptly and initiated notifications to state authorities and the public within days, despite uncertainty about specific data exposure or misuse. While no evidence indicated information was copied or misused, all potentially affected patients received preliminary alerts, with plans for individualized notifications pending a comprehensive review of the impacted email contents. The incident demonstrated proactive transparency amid ongoing forensic analysis.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On May 6, 2019, the Oregon Health Authority (OHA) experienced a spear-phishing attack that compromised a single employee’s email account. The attack was swiftly detected and terminated by OHA, preventing further unauthorized access. The compromised account contained protected health information (PHI) related to patients of the Oregon State Hospital (OSH), the state’s psychiatric facility. The emails in the account included sensitive patient data such as first and last names, dates of birth, medical record numbers, diagnoses, treatment care plans, and other clinical information used for patient treatment. OHA could not immediately confirm whether the attacker accessed or copied any PHI during the breach window, nor could they definitively identify all individuals whose data resided in the affected account.
Within four days of the incident, OHA initiated preliminary notifications by alerting state attorneys general and issuing a media release on May 10, 2019, to inform the public of the breach. As a precaution, Oregon State Hospital began notifying all patients—approximately 1,400 individuals served annually—that their information was potentially exposed, despite no evidence of misuse or data exfiltration. OHA engaged external experts to conduct a forensic review of the compromised account to identify precisely which patients had PHI in the emails and whether the data was accessed. The agency committed to providing individualized notifications to confirmed affected patients upon completing the investigation. No ransomware, malware, or additional attacker tactics beyond the initial phishing compromise were disclosed in the available reporting.