About 38,000 Legacy Health patients’ personal, medical or billing information might have been accessed in a May email breach
The Portland-based nonprofit health system said someone accessed multiple employees’ email accounts, some of which contained patient information. The breach was not discovered until June 21 and not publicly disclosed until Aug. 20, as the health moved to establish a hotline and contact affected patients.
The information potentially exposed includes patients’ names, dates of birth, health insurance information, billing information, medical information regarding care they received at Legacy, social security numbers, and driver’s license information.
Legacy, which operates six hospitals and 70 clinics in Oregon and southwest Washington, said it has hired a firm to investigate the breach and will send notification letters to patients whose information might have been disclosed. Not all of the system’s patients are affected by the breach.
The health system said found no indication the information had been misused, but it is offering free credit monitoring to patients whose social security numbers were exposed.
It also said it’s implementing new policies to prevent future breaches, but did not elaborate.
Federal officials have closely scrutinized previous breaches of patient privacy, which could violate federal laws restricting release of medical information. Oregon Health & Science University in 2016 agreed to pay federal authorities $2.7 million and enact a corrective action plan for a pair of 2013 data breaches that exposed information about than 7,000 patients.