Oregon Healthcare Provider Suffers Employee Email Data Breach
Table of Contents
- By Steven
- Dec 13, 2023
In Oregon, the Neuromusculoskeletal Center of the Cascades and Cascade Surgicenter collectively are “The Center.” The professionals that work there are highly trained doctors from many fields, including physiatry, occupational medicine, neurosurgical, and orthopedic care. The Center serves central Oregon at three stand-alone clinics and rural treatment at six shared clinics. Many Oregonians may receive a letter from The Center in the upcoming weeks—they’ve had a significant patient data breach.
How Did the Attack Occur?
There is little public knowledge about the event or how the assailants made it possible; according to the Notice of Data Incident published on The Center’s website, the event stemmed from employee emails. Purportedly, an unauthorized party accessed multiple employee email accounts, and those accounts contained some patient information. How the assailants accessed the accounts is unclear, as there is no indication of human error or malicious thieving.
What Information Was Viewed or Stolen?
The data accessed in this event will have significant consequences for its owners. The information differs between individuals, and not all elements may have exposures in the event; the exposures include full names, birthdays, Social Security Numbers, addresses, phone numbers, email addresses, driver’s license and state ID numbers, financial account information including account numbers, some routing numbers, the financial institution’s name, plus credit/debit card information, and medical information including diagnosis/treatment details, provider name, prescription information, medical record numbers, Medicare or Medicaid ID numbers, specific health insurance information, treatment costs, and digital signatures. Those with data exposed in this event must take action to protect themselves and their future.
How Did the Neuromusculoskeletal Center of the Cascades Admit to the Breach?
According to the breach notice, the unauthorized actor accessed the employee email accounts between October 2nd and 3rd, 2023. On October 3rd, Center officials noticed suspicious activity within an email, pushing them to launch investigations. On or around November 21st, they completed the review and began to notify the necessary parties. On or around December 1st, The Center published its website notice; this same day, they submitted a breach filing to the Department of Health and Human Services. On December 12th, their filing appeared on the DHHS website.
What Will Become of the Stolen Information?
It’s challenging, if not impossible, to determine what will happen to the accessed information. However, because the event was not ransomware, the assailants may sell or misuse the data to generate a profit. On the dark web, criminals can sell records in single or bulk transactions, with costs ranging up to hundreds. Conversely, if the bad actors seek further system vulnerabilities, they may misuse the data in impersonation plots. Most likely, either the threat actors or their associates will use the information in fraudulent events; this may put data owners in the crosshairs of the law.
What Should Affected Parties Do in the Aftermath of the Breach?
First, those impacted by this breach should secure their accounts. They should update and change their passwords to complex, multi-symboled passcodes, preferably maintained within a password generator. In addition, those who can change the information associated with them should consider doing so; in cases of financial exposures, consider opening new accounts with new numbers and cards.
However, those with unchangeable elements should invest in monitoring services and consistently check their accounts. Particularly in medical information exposures, they should closely review all statements from their providers and ensure the services rendered are correct. Although this event happened in October, victims still have time to protect themselves and their futures.