The Oregon Department of Human Services (DHS) was the victim of a phishing campaign earlier this year, resulting in a data breach that reportedly involves the records of up to 1.6 million state residents.

According to a March 21 Oregon DHS press release, the incident took place last Jan. 8, when nine separate agency employees opened a spear phishing email and clicked on a link that compromised their email mailboxes and the two million emails within. The agency’s Enterprise Security Office Cyber Security team confirmed the breach on Jan. 28 and worked to contain the threat.

Contents within those emails included client information protected under HIPAA regulations. Such data may include names, addresses, birth dates, Social Security numbers and case numbers.

“The department cannot confirm that any clients’ personal information was acquired from its email system or used inappropriately. However, it is notifying the public because information was accessible to an unauthorized person or persons,” said an Oregon DHS news release, which was published under the guidelines of the state’s Identity Theft Protection Act.

The release said the number of affected consumers exceeds 350,000, but a report from local news affiliate KTVZ notes that the agency services about 1.6 million residents – meaning the total number of impacted civilians could potentially be far more. The Oregon DHS said an external digital forensics firm is actively investigating to determine the number of and identities of affected Oregonians. The agency will then contact those individuals and offer them ID theft recovery services.