The Oregon Clinic

The Oregon Clinic is a healthcare provider operating within the United States. Its core function involves delivering medical services to patients, necessitating the collection and processing of sensitive health information. This includes protected health information such as patient names, dates of birth, medical record numbers, diagnoses, test results, prescription details, and insurance information. For a limited subset of patients, Social Security numbers were also maintained within its systems. The organization relies on electronic communication systems, including employee email accounts, for operational activities.

On March 9, 2018, The Oregon Clinic experienced a cybersecurity incident involving unauthorized access to an employee email account. The breach was confined to this single compromised account, with no evidence indicating broader system compromise. Upon discovery, the organization promptly deactivated the affected account and initiated an investigation with the assistance of external cybersecurity forensic specialists. The investigation confirmed the unauthorized access and identified the types of patient data potentially exposed within the breached email account. The Oregon Clinic subsequently notified individuals whose protected information may have been accessed and provided them with guidance on protective measures. The organization also implemented additional security measures aimed at preventing similar incidents in the future, emphasizing its collaboration with experts throughout the incident response process.