Oregon Department of Human Services Breach Affects 645,000 Clients

Oregon Department of Human Services Breach Affects 645,000 Clients

In March, the department announced that 350,000 clients had been affected by a data breach in January 2019. On Tuesday, they updated the number and announced that 645,000 clients had been affected.

The personal data of more than 650,000 clients of Oregon’s Department of Human Services was compromised during a January data breach. The department announced in March that more than 350,000 clients had been impacted, but they were doing an investigation and had not finished yet. When the department completed the investigation this week, they concluded that the number of clients affected was much higher than the original figure released.

The compromised information could include first and last names, addresses, dates of birth, Social Security numbers, case numbers, personal health information, and other information used in DHS programs. Not all of these information types were exposed for each client, and it is unknown if the information was viewed or used inappropriately.

On Jan. 8, an email phishing attempt was sent to department employees, and nine employees opened and clicked on the phishing link, allowing the sender access to their accounts. The accounts were secured by Jan. 28. Following the breach, the department hired ID Experts, an outside firm, to investigate the emails affected by the scam. The team comprised 70 attorneys and paralegals who read through and sorted the 2 million susceptible emails.

Most of the personal information compromised was in email attachments. Pravin Kothari, founder and CEO of CipherCloud, said it’s surprising that the department did not have adequate protection against these types of attacks.

“What’s surprising is that the email attachments with sensitive PII and PHI data did not have any protection, and that Oregon DHS was just not prepared for such common attacks,” Kothari said. “Most organizations have their email systems migrated to the cloud, either Microsoft or Google. As more and more information and data, the “crown jewels” of any organization, migrate to cloud-based solutions, organizations just do not have visibility and control that they used to have within the enterprise perimeter.”

Jake Sunderland, the agency’s spokesperson, told The Oregonian the breach affected clients from all five of the department’s divisions: Aging and People with Disabilities, Developmental Disabilities, Child Welfare, Self-sufficiency and Vocational Rehab.

The department is providing 12 months of identity theft monitoring and recovery services, including a $1 million insurance reimbursement policy, to affected clients. The service is provided by ID Experts and is called MyIDCare.

Colin Bastable, the CEO of Lucy Security, said the fact the department was using email as a data storage solution stood out to him. He said there are technology, processes, and policies to ensure that breaches of this kind don’t happen.

“The offer of credit monitoring services is a box-tick, business-as-usual offer: but the adverse impacts of phishing attacks last much longer and reverberate much wider,” Bastable said. “Harvested data is sold, repackaged and resold multiple times on the Dark Web – the 645,000 Oregonians and their families and friends will be compromised and inconvenienced in some manner for years to come.”

The department will begin to send notifications with MyIDCare enrollment instructions Wednesday, June 19.

About the Author

Kaitlyn DeHaven is the Associate Content Editor for the Infrastructure Solutions Group at 1105 Media.

Featured

  • Accelerating a Pathway

    There is a new trend touting the transformational qualities of AI’s ability to deliver actionable data and predictive analysis that in many instances, seems to be a bit of an overpromise. The reality is that very few solutions in the cyber-physical security (CPS) space live up to this high expectation with the one exception being the new generation of Physical Identity and Access Management (PIAM) software – herein recategorized as PIAM+. Read Now

  • Protecting Your Zones

    It is game day. You can feel the crowd’s energy. In the parking lot. At the gate. In the stadium. On the concourse. Fans are eager to party. Food and merchandise vendors ready themselves for the rush. Read Now

  • Street Smarts

    The ongoing acceptance of AI and advanced data analytics has allowed surveillance camera technology to shift from being a tactical tool to a strategic business solution. Combining traditional surveillance technology with AI-based data-driven insights can streamline transportation systems, enhance traffic management, improve situational awareness, optimize resource allocation and streamline emergency response procedures. Read Now

  • The Progress of Biometrics

  • Next-Gen AI for Smart Cities

    The future of smart city technology is not being shaped in Silicon Valley — it is taking root in Dubuque, Iowa. With a population of about 60,000, this mid-sized city has become a live testbed for AI-driven traffic management thanks to a unique public-private collaboration led by Milestone Systems. Project Hafnia demonstrates how cities can transform urban mobility and safety through Responsible Technology—without costly infrastructure overhauls. Read Now

New Products

  • Unified VMS

    AxxonSoft introduces version 2.0 of the Axxon One VMS. The new release features integrations with various physical security systems, making Axxon One a unified VMS. Other enhancements include new AI video analytics and intelligent search functions, hardened cybersecurity, usability and performance improvements, and expanded cloud capabilities

  • Camden CM-221 Series Switches

    Camden CM-221 Series Switches

    Camden Door Controls is pleased to announce that, in response to soaring customer demand, it has expanded its range of ValueWave™ no-touch switches to include a narrow (slimline) version with manual override. This override button is designed to provide additional assurance that the request to exit switch will open a door, even if the no-touch sensor fails to operate. This new slimline switch also features a heavy gauge stainless steel faceplate, a red/green illuminated light ring, and is IP65 rated, making it ideal for indoor or outdoor use as part of an automatic door or access control system. ValueWave™ no-touch switches are designed for easy installation and trouble-free service in high traffic applications. In addition to this narrow version, the CM-221 & CM-222 Series switches are available in a range of other models with single and double gang heavy-gauge stainless steel faceplates and include illuminated light rings.

  • Camden CV-7600 High Security Card Readers

    Camden CV-7600 High Security Card Readers

    Camden Door Controls has relaunched its CV-7600 card readers in response to growing market demand for a more secure alternative to standard proximity credentials that can be easily cloned. CV-7600 readers support MIFARE DESFire EV1 & EV2 encryption technology credentials, making them virtually clone-proof and highly secure.