The Oregon Department of Human Services confirmed a data breach due to a phishing email incident that compromised and potentially exposed the private health information of over 350,000 people.
The department issued a press release (PDF) on Thursday stating that it had uncovered a phishing incident that affected e-mail records at the department. The agency has hired an outside entity to perform a forensic review to clarify the number and identities of Oregon residents whose information was exposed and the specific kinds of information involved, state officials said.
Local media station KTVZ reported that the data breach may have exposed the personal information of the 1.6 million residents the department serves.
The breach occurred in early January when nine employees clicked on a phishing link that compromised their email boxes. It's not clear how many people's information was exposed, but nearly 2 million emails were made vulnerable to unauthorized persons, Oregon DHS said. Information compromised may include client names, addresses, dates of birth, Social Security numbers, case numbers, and other data protected under the Health Insurance Portability and Accountability Act.
RELATED: Misconfigured database leads to major data breach at UW Medicine
In a statement, Oregon state representative Carl Wilson said the data breach is the latest in a disturbing trend of questionable DHS management.
"Transparency continues to be a systemic problem at DHS. Oregonians deserve better from government agencies and departments. Protection of personal information they are required to provide the state should be given the highest priority. Beyond that, we’re seeing a growing accountability issue when DHS fails to quickly inform the public about embarrassing matters,” Wilson said.
The agency and its enterprise security office cybersecurity team confirmed on Jan. 28 that a breach of regulated information had occurred. The agency said it has "strong information technology security processes in place, which enabled the department to detect and contain the incident." Agency officials said they cannot confirm that any clients’ personal information was acquired from its email system or used inappropriately but is notifying the public because the information was accessible to an unauthorized person or persons.
RELATED: Data of 45,000 Rush patients exposed due to third-party breach
DHS considers the incident a breach under Oregon’s Identity Theft Protection Act, and the notification is provided because the class of affected consumers exceeds 350,000.
The department said while there is no indication that any personal information was copied from its email system or used inappropriately, it will be offering identity theft recovery services for impacted individuals.