I am conducting a breach risk assessment and would like some guidance. Pertinent details:
1) Successful phishing attack of employee
led to a 30 minute unauthorized access to email and file store by perpetrator.
prove no action take by perpetrator in the data store (no files copied, downloaded, opened, etc.)
3) Forensics prove no synchronization of email or forwarding of email
4) Perpetrator could have 'seen' emails.
5) Mailbox contained 5200 emails - of which 34 contained PHI
6) PHI included only Pt. Name, Address, Date of Birth
7) Forensics indicate that the perpetrator used the 30 minutes to perpetuate their phishing campaign by sending 895 additional phishing emails to other persons.
In performing a LOPROCO we have concluded that given the above - there is a low probability that PHI was compromised. This conclusion is largely based on the evidence that the perpetrator had an opportunity to copy/download/synchronize both the data store (which contained immense amount of PHI) but did not do so. Therefore, we conclude it is highly unlikely that the perpetrator would have sifted through over 5000 emails to 'read' and or 'retain' the 34 items in question.
Given the information we have provided, do you believe we are in a position that warrants our conclusion? I can certainly provide more detail if warranted.