Oregon DHS data breach may have exposed private data of 350K people

Data breach
Employees clicking on a phishing link may have led to the personal information of 350,000 people being exposed to unauthorized people. (tashka2000/Getty)

The Oregon Department of Human Services confirmed a data breach due to a phishing email incident that compromised and potentially exposed the private health information of over 350,000 people.

The department issued a press release (PDF) on Thursday stating that it had uncovered a phishing incident that affected e-mail records at the department. The agency has hired an outside entity to perform a forensic review to clarify the number and identities of Oregon residents whose information was exposed and the specific kinds of information involved, state officials said.

Local media station KTVZ reported that the data breach may have exposed the personal information of the 1.6 million residents the department serves.

Featured Webinar

Patient experience and the bottom-line impact on a practice

Practices that deliver exceptional experience often demonstrate strong financial performance and efficient operations. Join us to learn how to identify the most impactful connections between patient experience and financial performance, how to measure, track and improve patient experience as it relates to the bottom line, and identify patient experience measures that affect financial performance.

The breach occurred in early January when nine employees clicked on a phishing link that compromised their email boxes. It's not clear how many people's information was exposed, but nearly 2 million emails were made vulnerable to unauthorized persons, Oregon DHS said. Information compromised may include client names, addresses, dates of birth, Social Security numbers, case numbers, and other data protected under the Health Insurance Portability and Accountability Act.

RELATED: Misconfigured database leads to major data breach at UW Medicine

In a statement, Oregon state representative Carl Wilson said the data breach is the latest in a disturbing trend of questionable DHS management.

"Transparency continues to be a systemic problem at DHS. Oregonians deserve better from government agencies and departments. Protection of personal information they are required to provide the state should be given the highest priority. Beyond that, we’re seeing a growing accountability issue when DHS fails to quickly inform the public about embarrassing matters,” Wilson said.

The agency and its enterprise security office cybersecurity team confirmed on Jan. 28 that a breach of regulated information had occurred. The agency said it has "strong information technology security processes in place, which enabled the department to detect and contain the incident." Agency officials said they cannot confirm that any clients’ personal information was acquired from its email system or used inappropriately but is notifying the public because the information was accessible to an unauthorized person or persons.

RELATED: Data of 45,000 Rush patients exposed due to third-party breach

DHS considers the incident a breach under Oregon’s Identity Theft Protection Act, and the notification is provided because the class of affected consumers exceeds 350,000.

The department said while there is no indication that any personal information was copied from its email system or used inappropriately, it will be offering identity theft recovery services for impacted individuals.

Suggested Articles

CaaS is a library of up-to-date, accurate health information ready to do your bidding. Learn what structured content can do for you.

Providers are getting an additional five months to comply with new regulations aimed at improving data sharing.

Federal agencies warn that cybercriminals are escalating their extortion attempts against the healthcare industry even as COVID-19 cases surge.