Breach, Data Security

645,000 Oregonians affected in previously disclosed Dept. of Human Services breach


Oregon's Department of Human Services (DHS) is in the process of mailing notifications to roughly 645,000 of its reportedly 1.6 million clients, following a data breach incident last January that resulted from a phishing scam.

When DHS first publicly disclosed the incident last March, it said the number of affected Oregonians exceeded 350,000, but it was unclear by just how many. However, a June 18 news release from the agency appears to have answered this lingering question, raising the total number of victims by nearly an additional 300,000.

DHS said it will provide affected individuals with one year of ID theft monitoring and recovery services, including a $1 million insurance reimbursement policy.

"It is not known if the compromised information, which includes personal health information, was viewed or used inappropriately," the release stated.

The breach took place on Jan. 8, 2019 when nine separate DHS employees opened a phishing email and clicked on a malicious internet link that gave the sender the power to success their accounts.

"Beginning January 9, 2019, these nine employees started reporting problems. We found all affected accounts and stopped the phishing access by January 28, 2019," the official notification letter states.

Much of the client information exposed in the breach came from email attachment such as reports. Compromised data included names, addresses, birth dates, Social Security numbers, case numbers, personal health information (including HIPAA-protected info), and other information used in DHS programs.

"The Oregon DHS breach is very typical of the news we hear continuously," said
Pravin Kothari, founder and CEO of CipherCloud, in emailed comments. But "What's surprising is that the email attachments with sensitive PII [personally identifying information] and PHI [protected health information] data did not have any protection, and that Oregon DHS was just not prepared for such common attacks."

Colin Bastable, CEO of Lucy Security, also took a swipe at the agency, asking "Why on earth are they sending and saving confidential documents as unsecured attachments via email?"

"The offer of 12 months of credit monitoring services is a box-tick, business-as-usual offer," Bastable continued, "but the adverse impacts of phishing attacks last much longer and reverberate much wider. Harvested data is sold, repackaged and resold multiple times on the dark web. The 645,000 Oregonians and their families and friends will be compromised and inconvenienced in some manner for years to come."

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.