PORTLAND, Ore. (KOIN) — Oregon Health & Science University is on the hook after sending a phishing email to employees earlier this week offering thousands in financial assistance.
On Tuesday, the hospital sent a phishing email saying it was partnering with Green Dot to provide employees up to $7,500 as many were feeling the hardships created during the pandemic.
The e-mail prompted employees to visit OHSU’s benefits page and fill out the appropriate fields. But when workers clicked on the link they were directed to a 404 – Quick Tip page saying, “This was an authorized phishing simulation from your organization as part of your program.”
According to the hospital, the email was sent as a “regular exercise” to test employees on spotting a scam. In a statement, OHSU said in part “the language in the test e-mail was taken verbatim from an actual phishing e-mail, to ensure no one else fell for the scam.”
Despite this, some users claiming to be OHSU employees took to social media to share their frustrations.
One user linked back to a blog post written by an OHSU union representative, Ross Grami. In the blog post, Grami said in part “one does have to wonder if waging psychological warfare on your own employees is the best way to educate them on cybersecurity.”
Further, Grammi claimed the hospital sent the email “under the name of a Local 328 member, potentially subjecting this employee to a deluge of hurtful and angry emails.”
OHSU told KOIN 6 News that there are some employees with the same name used in the email address, however, the name used to close out the email did not match any employees’.
Hospital members reportedly received an announcement in late March warning of potential scams after a phishing email had been received. In that announcement, OHSU said hospital leaders shared instructions on how to double-check for and how to report a phishing email.
OHSU’s full statement:
“First and foremost, we want to sincerely apologize to the OHSU community. This week, as part of OHSU’s regular exercises to help members practice spotting suspicious e-mails, the language in the test e-mail was taken verbatim from an actual phishing e-mail, to ensure no one else fell for the scam. That was a mistake. The real scam was insensitive and exploitive of OHSU members — and the attempt to educate members felt the same way, causing confusion and concern.
Effective e-mail scams are the single largest threat to OHSU technology systems and our ability to provide services to Oregonians, so the phishing exercise was focused on the effectiveness of the real scam. In this case, that focus was guided too narrowly by our responsibility to help protect OHSU and members from scams, without fully considering the harm it could cause.
We intend to learn from this event and implement preventive measures to keep a similar incident from happening in the future.”