Oregon’s Department of Human Services (DHS) is in the process of mailing notifications to roughly 645,000 of its reportedly 1.6 million clients, following a data breach incident last January that resulted from a phishing scam.

When DHS first publicly disclosed the incident last March, it said the number of affected Oregonians exceeded 350,000, but it was unclear by just how many. However, a June 18 news release from the agency appears to have answered this lingering question, raising the total number of victims by nearly an additional 300,000.

DHS said it will provide affected individuals with one year of ID theft monitoring and recovery services, including a $1 million insurance reimbursement policy.

“It is not known if the compromised information, which includes personal health information, was viewed or used inappropriately,” the release stated.

The breach took place on Jan. 8, 2019 when nine separate DHS employees opened a phishing email and clicked on a malicious internet link that gave the sender the power to success their accounts.

“Beginning January 9, 2019, these nine employees started reporting problems. We found all affected accounts and stopped the phishing access by January 28, 2019,” the official notification letter states.

Much of the client information exposed in the breach came from email attachment such as reports. Compromised data included names, addresses, birth dates, Social Security numbers, case numbers, personal health information (including HIPAA-protected info), and other information used in DHS programs.

“The Oregon DHS breach is very typical of the news we hear continuously,” said
Pravin Kothari, founder and CEO of CipherCloud, in emailed comments. But “What’s surprising is that the email attachments with sensitive PII [personally identifying information] and PHI [protected health information] data did not have any protection, and that Oregon DHS was just not prepared for such common attacks.”

Colin Bastable, CEO of Lucy Security, also took a swipe at the agency, asking “Why on earth are they sending and saving confidential documents as unsecured attachments via email?”

“The offer of 12 months of credit monitoring services is a box-tick, business-as-usual offer,” Bastable continued, “but the adverse impacts of phishing attacks last much longer and reverberate much wider. Harvested data is sold, repackaged and resold multiple times on the dark web. The 645,000 Oregonians and their families and friends will be compromised and inconvenienced in some manner for years to come.”