25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

350,000 Affected by Oregon Department of Human Services Phishing Attack

Posted By on Mar 22, 2019

Oregon Department of Human Services (ODHS) has experienced a phishing attack that has potentially allowed unauthorized individuals to view or obtain the protected health information of more than 350,000 individuals.

ODHS learned on January 28, 2019 that unauthorized individuals had gained access to email accounts containing clients’ personal information. Third-party forensics experts from IDExperts were called in to determine the number of individuals affected, the types of data that could have been accessed, and whether clients’ personal information had been extracted.

The investigation conformed that nine employees had clicked links in phishing emails and divulged their login credentials, which allowed the attackers to gain access to their email accounts. The first account was compromised on January 8, 2019.

The compromised email accounts contained almost 2 million emails. Checks are still being performed to find out which individuals have been affected. ODHS has confirmed that emails in the account contained information such as clients’ first and last names, addresses, birth dates, case numbers, Social Security numbers, and information used to administer ODHS programs.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

The investigation did not uncover any evidence to suggest the attackers viewed or copied any protected health information, but the possibility of data access/theft could not be ruled out.

The exact number of individuals affected by the phishing attack has not yet been finalized. When all individuals have been identified, IDExperts will be sending breach notification letters by mail and will provide further information on the steps that should be taken to protect against identity theft and fraud.

ODHS is offering complimentary credit monitoring and identity theft recovery services to all individuals affected by the breach.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist