Oregon State Hospital

Oregon State Hospital became victim of a successful spear-phishing attack that gave the attacker access to one employee’s mail account.

That account held protected health information on patients their first and last names, dates of birth, medical record numbers, diagnoses, treatment care plans and other information used to provide treatment for patients at the psychiatric hospital.

While it was unclear that exactly who had ePHI in that account and unsure whether any of the data was even accessed or copied.

But there is no indication that any protected health information was copied from its email system or used inappropriately.

Source: https://www.databreaches.net/oregon-health-authority-provides-early-notification-to-oregon-state-hospital-patients-of-a-phishing-incident/

TPRM report: https://scoringcyber.rankiteo.com/company/oregon-state-hospital

"id": "ore193719323",
"linkid": "oregon-state-hospital",
"type": "Data Leak",
"date": "05/2019",
"severity": "50",
"impact": "1",
"explanation": "Attack without any consequences"

{'affected_entities': [{'industry': 'Healthcare',
                        'location': 'Oregon, USA',
                        'name': 'Oregon State Hospital',
                        'type': 'Psychiatric Hospital'}],
 'attack_vector': 'Spear-phishing',
 'data_breach': {'personally_identifiable_information': ['First and last names',
                                                         'Dates of birth',
                                                         'Medical record '
                                                         'numbers',
                                                         'Diagnoses',
                                                         'Treatment care plans',
                                                         'Other treatment '
                                                         'information'],
                 'sensitivity_of_data': 'High',
                 'type_of_data_compromised': ['Protected health information']},
 'description': 'Oregon State Hospital became victim of a successful '
                'spear-phishing attack that gave the attacker access to one '
                'employee’s mail account. That account held protected health '
                'information on patients including their first and last names, '
                'dates of birth, medical record numbers, diagnoses, treatment '
                'care plans and other information used to provide treatment '
                'for patients at the psychiatric hospital. While it was '
                'unclear exactly who had ePHI in that account and unsure '
                'whether any of the data was even accessed or copied, there is '
                'no indication that any protected health information was '
                'copied from its email system or used inappropriately.',
 'impact': {'data_compromised': ['First and last names',
                                 'Dates of birth',
                                 'Medical record numbers',
                                 'Diagnoses',
                                 'Treatment care plans',
                                 'Other treatment information'],
            'systems_affected': ['Employee mail account']},
 'initial_access_broker': {'entry_point': 'Email account'},
 'title': 'Oregon State Hospital Phishing Attack',
 'type': 'Phishing',
 'vulnerability_exploited': 'Human vulnerability'}