The Oregon Clinic notifies patients after data breach
The Oregon Clinic—serving the Portland metropolitan region—on March 9 learned that an unauthorized party had accessed one of the organization’s email accounts, thus potentially gaining access to patient information.
Now, affected individuals are being offered a year of credit and/or identity monitoring services from Experian, depending on what data was impacted. The clinic did not disclose how many patients were affected by the breach; the incident has not yet been posted on the data breach web site operated by the Office for Civil Rights of the Department of Health and Human Services.
The clinic has about 270 providers handling around 485,000 patient visits annually through 59 clinics serving northwest Oregon and southwest Washington.
After discovering the breach, the clinic disabled the email account, launched an investigation and contracted with a digital forensics firm to assess the nature and extent of the breach. The investigation took nearly six weeks to determine that the incident was restricted to the one email account and did not affect any other areas of the clinic.
Protected health information compromised by the breach included medical record numbers, diagnosis information, medical conditions, diagnostic tests performed, prescription information, insurance information and, for a limited number of patients, Social Security numbers.
In addition to offering protective services, The Oregon Clinic also gave affected individuals guidance on protecting their personal information, including the need to register a fraud alert with the three major credit bureaus.
“If you detect any suspicious activity on an account, you should promptly notify the financial institution or company with which the account is maintained,” the clinic advised patients. “You also should promptly report any fraudulent activity or any suspected incident of identity theft to proper law enforcement authorities, your state attorney general and/or the Federal Trade Commission.”
Scot Gudger, CEO at The Oregon Clinic, issued the following statement to Health Data Management:
“We are very sorry this happened and apologize to the patients who have been affected by this incident. We value our patients and will continue to work closely with cybersecurity experts to remediate this situation and, most importantly, are taking steps to help prevent similar incidents from happening in the future.”