Once again, the Oregon Department of Human Services makes it to the news owing to a previously reported security breach. As the investigation continued, the facts now seem changed as over 600,000 users receive alerts of Oregon DHS data breach. The new count is roughly double of the previously estimated 350,000 customers.
Oregon DHS Data Breach Incident
In January 2019, the Oregon Department of Human Services (DHS) suffered a massive cyber attack that led to a data breach. Precisely, it was a phishing attack that affected nine of the DHS employees’ email accounts. The affected accounts exposed around 2 million emails having PHI data of customers. As stated in the Oregon DHS data breach notification generated at that time,
Nine individual employees opened a phishing email and clicked on a link that compromised their email mailboxes and allowed access to these employees’ email information. Current information indicates on January 8th, a spear phishing email was sent to DHS employees.
DHS identified the breach on January 28, 2019, and together with the Enterprise Security Office Cyber Security team, they contained the attack. Nonetheless, by this time, the hacked email accounts exposed data to the attackers.
The breach potentially exposed “Clients’ Protected Health Information under the Health Insurance Portability and Accountability Act (HIPAA)” to the attackers. The information under this bracket included first names, last names, birth dates, addresses, Social Security numbers, case number, and other data.
Investigations Reveal More Affectees
Oregon DHS first disclosed this breach in March 2019, with relevant details. At that time, they estimated the number of users potentially affected by this incident as more than 350,000.
Nonetheless, as they continued with the investigations, the count now looks changed. On June 19, 2019, Oregon DHS began notifying the potentially impacted users, where a total count is around 645,000. This one seems a final count as, with the help of IDExperts, they have identified the people affected during the incident.
As stated in their recent notification,
IDExperts identified the personal information in the affected email accounts. They also identified the people whose information was exposed. Because we have this information, we can send a notice to each person whose personal information was exposed.
While they do not confirm any misuse of the breached information, they still offer 12-month identity theft monitoring and recovery services to the affectees.
Stories such as this should advocate the need for companies to invest in penetration testing services