Portland, Oregon-based Legacy Health is notifying 38,000 patients that a phishing attack may have breached their data.

According to the notice, officials discovered unauthorized access to some employee email accounts on June 21. However, the access began several weeks before in May 2018. The health system hired a third-party forensic firm to help with its investigation.

[Also: The biggest healthcare data breaches of 2018 (so far)]

Officials determined patient data was included in the breached email accounts, including demographic information, dates of birth, health insurance data, billing details, medical data and for some patients, Social Security numbers and driver’s licenses.

Legacy Health is “implementing additional access restrictions.” All impacted patients were given one year of free monitoring. No further details were provided.

The health system is just the latest to be breached by a phishing attack this year. In fact, the most recent Protenus Breach Barometer found phishing attacks were the greatest cyber threat of the second quarter of 2018.

In July alone, four organizations reported breaches that stemmed from phishing attacks -- the biggest breach was UnityPoint Health with 1.4 million patient records. What’s worse is that it was the health system’s second breach from a phishing attack this year.

Fending off phishing attacks begin with staff education. Many organizations have found success in phishing simulations that test awareness among employees. Network monitoring is also critical to detect abnormal access or user behavior.

Twitter: @JF_Davis_
Email the writer: jessica.davis@himssmedia.com