Oregon DHS data breach may have exposed private data of 350K people

Data breach
Employees clicking on a phishing link may have led to the personal information of 350,000 people being exposed to unauthorized people. (tashka2000/Getty)

The Oregon Department of Human Services confirmed a data breach due to a phishing email incident that compromised and potentially exposed the private health information of over 350,000 people.

The department issued a press release (PDF) on Thursday stating that it had uncovered a phishing incident that affected e-mail records at the department. The agency has hired an outside entity to perform a forensic review to clarify the number and identities of Oregon residents whose information was exposed and the specific kinds of information involved, state officials said.

Local media station KTVZ reported that the data breach may have exposed the personal information of the 1.6 million residents the department serves.

Free Daily Newsletter

Like this story? Subscribe to FierceHealthcare!

The healthcare sector remains in flux as policy, regulation, technology and trends shape the market. FierceHealthcare subscribers rely on our suite of newsletters as their must-read source for the latest news, analysis and data impacting their world. Sign up today to get healthcare news and updates delivered to your inbox and read on the go.

The breach occurred in early January when nine employees clicked on a phishing link that compromised their email boxes. It's not clear how many people's information was exposed, but nearly 2 million emails were made vulnerable to unauthorized persons, Oregon DHS said. Information compromised may include client names, addresses, dates of birth, Social Security numbers, case numbers, and other data protected under the Health Insurance Portability and Accountability Act.

RELATED: Misconfigured database leads to major data breach at UW Medicine

In a statement, Oregon state representative Carl Wilson said the data breach is the latest in a disturbing trend of questionable DHS management.

"Transparency continues to be a systemic problem at DHS. Oregonians deserve better from government agencies and departments. Protection of personal information they are required to provide the state should be given the highest priority. Beyond that, we’re seeing a growing accountability issue when DHS fails to quickly inform the public about embarrassing matters,” Wilson said.

The agency and its enterprise security office cybersecurity team confirmed on Jan. 28 that a breach of regulated information had occurred. The agency said it has "strong information technology security processes in place, which enabled the department to detect and contain the incident." Agency officials said they cannot confirm that any clients’ personal information was acquired from its email system or used inappropriately but is notifying the public because the information was accessible to an unauthorized person or persons.

RELATED: Data of 45,000 Rush patients exposed due to third-party breach

DHS considers the incident a breach under Oregon’s Identity Theft Protection Act, and the notification is provided because the class of affected consumers exceeds 350,000.

The department said while there is no indication that any personal information was copied from its email system or used inappropriately, it will be offering identity theft recovery services for impacted individuals.

Suggested Articles

Humana and Microsoft announced a seven-year strategic partnership to build predictive solutions and intelligent automation to support Humana members.

Ochsner Health System is partnering with Color to launch a population health pilot program to integrate genetic information into preventive care.

Nominations are open for our 2020 FierceHealthcare Fierce 15 awards. Think your company has what it takes? Submit your nominations here.