Patient Data Stolen in Legacy Health Phishing Attack

Legacy Health has announced that the PHI of 38,000 patients was stolen during a phishing attack on their facility.

Legacy Health is a non-profit hospital system based in Portland, Oregon. The organisation consists of six hospitals and employs upwards of 10,000 staff.

IT security staff at Legacy Health discovered the breach on June 21. The staff quickly launched an investigation to determine the cause and scope of the breach. Investigators determined that the hacker had gained access to the files in May following a successful phishing attack. The breach involved several employee email accounts.

Due to the high black-market value of healthcare data, hospitals are potentially lucrative targets for hackers. Phishing campaigns are particularly successful as only one employee need respond to a phishing email for the hacker to gain access to hundreds or thousands of data files.

The investigators analysed all of the data contained in the emails in the affected accounts. The stolen data included information as patients’ names, dates of birth, demographic information, health insurance details, billing information, and for certain patients, their Social Security number or driver’s license number.

Analysts could not determine if the attacked downloaded any of the information from the email accounts. In their breach notice, Legacy Health stated that they had not received reports that any patient information had been misused.

Patients who have had their data compromised in breaches such as this are at increased risk of becoming victims of data fraud. In an abundance of caution, and as an act of good faith, Legacy Health has offered any patient whose Social Security number or driver’s license number was compromised complimentary credit monitoring services for 12 months.

In response to the breach, Legacy Health has implemented new access restrictions on their employee email accounts. The organisation is in the process of reviewing their methods and practices to ensure that the risk of a similar breach occurring again is minimal.

Organisations in any industry can employ several basic practices to mitigate the risk of a successful phishing attack on their network. Installing spam filtering technology on employee email accounts can reduce the likelihood of phishing emails reaching employees. The fewer spam emails that reach employees, the less likely it is that an employee will be fooled by one. IT departments should ensure that all web browsers are fitted with filters that block access to known phishing websites. Many experts recommend the use of two-factor authentication to reduce the risk of unauthorised individuals accessing email accounts.

Training courses should be held regularly updating employees on new methods of mitigating the risk of such attacks and reminding them of how to spot phishing emails. As can be seen in the case of Legacy Health, employee awareness of cyber threats is critical to ensuring patient data remains secure.

Twitter Facebook LinkedIn Reddit Copy link Link copied to clipboard
Photo of author

Posted by

Emma Taylor

Emma Taylor is the contributing editor of Defensorum. Emma started on Defensorum as a news writer in 2017 and was promoted to editor in 2022. Emma has written and edited several hundred articles related to IT security and has developed a deep understanding of the sector. You can follow Emma on and contact Emma at