First and foremost, we want to sincerely apologize to the OHSU community. This week, as part of OHSU's regular exercises to help members practice spotting suspicious e-mails, the language in the test e-mail was taken verbatim from an actual phishing e-mail, to ensure no one else fell for the scam. That was a mistake. The real scam was insensitive and exploitative of OHSU members — and the attempt to educate members felt the same way, causing confusion and concern.
Effective email scams are the single largest threat to OHSU technology systems and our ability to provide services to Oregonians, so the phishing exercise was focused on the effectiveness of the real scam. In this case, that focus was guided too narrowly by our responsibility to help protect OHSU and members from scams, without fully considering the harm it could cause.
We intend to learn from this event and implement preventive measures to keep a similar incident from happening in the future.
Background
In an all-member announcement sent in late March, leadership warned the OHSU community about an e-mail phishing scam that had been seen at OHSU. OHSU shared instructions on how to identify phishing e-mails and double-check for authenticity. Further, OHSU explained how to report phishing e-mails, and directed members to financial support information on official OHSU webpages. The test e-mail, which included language identical to the scam, was sent to the OHSU community April 12.