Oregon DHS data breach may have exposed private data of 350K people

Data breach
Employees clicking on a phishing link may have led to the personal information of 350,000 people being exposed to unauthorized people. (tashka2000/Getty)

The Oregon Department of Human Services confirmed a data breach due to a phishing email incident that compromised and potentially exposed the private health information of over 350,000 people.

The department issued a press release (PDF) on Thursday stating that it had uncovered a phishing incident that affected e-mail records at the department. The agency has hired an outside entity to perform a forensic review to clarify the number and identities of Oregon residents whose information was exposed and the specific kinds of information involved, state officials said.

Local media station KTVZ reported that the data breach may have exposed the personal information of the 1.6 million residents the department serves.


13th Partnering with ACOS & IDNS Summit

This two-day summit taking place on June 10–11, 2019, offers a unique opportunity to have invaluable face-to-face time with key executives from various ACOs and IDNs from the entire nation – totaling over 3.5 million patients served in 2018. Exclusively at this summit, attendees are provided with inside information and data from case studies on how to structure an ACO/IDN pitch, allowing them to gain the tools to position their organization as a “strategic partner” to ACOs and IDNs, rather than a merely a “vendor.”

The breach occurred in early January when nine employees clicked on a phishing link that compromised their email boxes. It's not clear how many people's information was exposed, but nearly 2 million emails were made vulnerable to unauthorized persons, Oregon DHS said. Information compromised may include client names, addresses, dates of birth, Social Security numbers, case numbers, and other data protected under the Health Insurance Portability and Accountability Act.

RELATED: Misconfigured database leads to major data breach at UW Medicine

In a statement, Oregon state representative Carl Wilson said the data breach is the latest in a disturbing trend of questionable DHS management.

"Transparency continues to be a systemic problem at DHS. Oregonians deserve better from government agencies and departments. Protection of personal information they are required to provide the state should be given the highest priority. Beyond that, we’re seeing a growing accountability issue when DHS fails to quickly inform the public about embarrassing matters,” Wilson said.

The agency and its enterprise security office cybersecurity team confirmed on Jan. 28 that a breach of regulated information had occurred. The agency said it has "strong information technology security processes in place, which enabled the department to detect and contain the incident." Agency officials said they cannot confirm that any clients’ personal information was acquired from its email system or used inappropriately but is notifying the public because the information was accessible to an unauthorized person or persons.

RELATED: Data of 45,000 Rush patients exposed due to third-party breach

DHS considers the incident a breach under Oregon’s Identity Theft Protection Act, and the notification is provided because the class of affected consumers exceeds 350,000.

The department said while there is no indication that any personal information was copied from its email system or used inappropriately, it will be offering identity theft recovery services for impacted individuals.

Suggested Articles

An artificial intelligence tool can help diagnose post-traumatic stress disorder in veterans by analyzing their voices, a new study found.

Dr. Asaf Bitton has been tapped as the executive director at Ariadne Labs.

Global private equity interest in healthcare continues to surge with deal activity hitting record levels in 2018.