350,000 Affected by Oregon Department of Human Services Phishing Attack

Oregon Department of Human Services (ODHS) has experienced a phishing attack that has potentially allowed unauthorized individuals to view or obtain the protected health information of more than 350,000 individuals.

ODHS learned on January 28, 2019 that unauthorized individuals had gained access to email accounts containing clients’ personal information. Third-party forensics experts from IDExperts were called in to determine the number of individuals affected, the types of data that could have been accessed, and whether clients’ personal information had been extracted.

The investigation conformed that nine employees had clicked links in phishing emails and divulged their login credentials, which allowed the attackers to gain access to their email accounts. The first account was compromised on January 8, 2019.

The compromised email accounts contained almost 2 million emails. Checks are still being performed to find out which individuals have been affected. ODHS has confirmed that emails in the account contained information such as clients’ first and last names, addresses, birth dates, case numbers, Social Security numbers, and information used to administer ODHS programs.

The investigation did not uncover any evidence to suggest the attackers viewed or copied any protected health information, but the possibility of data access/theft could not be ruled out.

The exact number of individuals affected by the phishing attack has not yet been finalized. When all individuals have been identified, IDExperts will be sending breach notification letters by mail and will provide further information on the steps that should be taken to protect against identity theft and fraud.

ODHS is offering complimentary credit monitoring and identity theft recovery services to all individuals affected by the breach.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.