Oregon Department of Human Services Notifies 645,000 Clients of Phishing Breach

The Oregon Department of Human Services (ODHS) is notifying 645,000 clients that some of their personal information has potentially been compromised as a result of a phishing attack.

The targeted attack started on January 9, 2019 and resulted in 9 ODHS employees following links in emails and disclosing their login credentials.

ODHS and the Department of Administrative Services Enterprise Security Office discovered the breach on January 28 following reports from employees who believed their email accounts had been accessed. All affected email accounts were rapidly identified and remote access to the accounts was blocked the same day.

An investigation was launched into the breach to determine what protected health information may have been viewed and who had been affected. That process has taken some time to complete as it involved checking around 2 million emails.

The attackers accessed the compromised accounts and were able to access emails in the accounts for a period of 19 days. ODHS has confirmed that no malware was installed by the attackers but they may have viewed or obtained PHI such as names, contact information, Social Security numbers, case numbers, and sensitive health information.

On March 21, when it became clear that PHI was involved, ODHS uploaded a substitute breach notice to its website and created a call center where affected individuals could find out more about the breach. However, individual breach notifications were not sent until June 21.

ODHS oversees programs related to child welfare, individuals with disabilities, and seniors and deals with some of the most vulnerable individuals in the state. To protect those individuals from harm, ODHS has covered the cost of a $1 million identity theft reimbursement insurance policy and is offering all affected individuals 12 months of complimentary credit monitoring and identity theft recovery services.

ODHS spokesperson Robert Oakes said this was an “extremely sophisticated email attack.” ODHS has since closed access to the email web application that was breached and will continue to conduct internal security audits to vulnerabilities and will subject those vulnerabilities to a HIPAA-compliant risk management process. Training is already provided to staff on security awareness and efforts will continue to educate the workforce about the dangers from phishing.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.