Oregon Department of Human Services Breach Affects 645,000 Clients

Oregon Department of Human Services Breach Affects 645,000 Clients

In March, the department announced that 350,000 clients had been affected by a data breach in January 2019. On Tuesday, they updated the number and announced that 645,000 clients had been affected.

The personal data of more than 650,000 clients of Oregon’s Department of Human Services was compromised during a January data breach. The department announced in March that more than 350,000 clients had been impacted, but they were doing an investigation and had not finished yet. When the department completed the investigation this week, they concluded that the number of clients affected was much higher than the original figure released.

The compromised information could include first and last names, addresses, dates of birth, Social Security numbers, case numbers, personal health information, and other information used in DHS programs. Not all of these information types were exposed for each client, and it is unknown if the information was viewed or used inappropriately.

On Jan. 8, an email phishing attempt was sent to department employees, and nine employees opened and clicked on the phishing link, allowing the sender access to their accounts. The accounts were secured by Jan. 28. Following the breach, the department hired ID Experts, an outside firm, to investigate the emails affected by the scam. The team comprised 70 attorneys and paralegals who read through and sorted the 2 million susceptible emails.

Most of the personal information compromised was in email attachments. Pravin Kothari, founder and CEO of CipherCloud, said it’s surprising that the department did not have adequate protection against these types of attacks.

“What’s surprising is that the email attachments with sensitive PII and PHI data did not have any protection, and that Oregon DHS was just not prepared for such common attacks,” Kothari said. “Most organizations have their email systems migrated to the cloud, either Microsoft or Google. As more and more information and data, the “crown jewels” of any organization, migrate to cloud-based solutions, organizations just do not have visibility and control that they used to have within the enterprise perimeter.”

Jake Sunderland, the agency’s spokesperson, told The Oregonian the breach affected clients from all five of the department’s divisions: Aging and People with Disabilities, Developmental Disabilities, Child Welfare, Self-sufficiency and Vocational Rehab.

The department is providing 12 months of identity theft monitoring and recovery services, including a $1 million insurance reimbursement policy, to affected clients. The service is provided by ID Experts and is called MyIDCare.

Colin Bastable, the CEO of Lucy Security, said the fact the department was using email as a data storage solution stood out to him. He said there are technology, processes, and policies to ensure that breaches of this kind don’t happen.

“The offer of credit monitoring services is a box-tick, business-as-usual offer: but the adverse impacts of phishing attacks last much longer and reverberate much wider,” Bastable said. “Harvested data is sold, repackaged and resold multiple times on the Dark Web – the 645,000 Oregonians and their families and friends will be compromised and inconvenienced in some manner for years to come.”

The department will begin to send notifications with MyIDCare enrollment instructions Wednesday, June 19.

About the Author

Kaitlyn DeHaven is the Associate Content Editor for the Infrastructure Solutions Group at 1105 Media.

Featured

  • Tradeshow Work Can Be Fun

    While at ISC West last week, I ran into numerous friends and associates all of which was a pleasant experience. The first question always seemed to be, “How many does this make for you?” Read Now

    • Industry Events
    • ISC West
  • New Report Says 1 in 5 SMBs Would Be Forced to Shutter After Successful Cyberattack

    Small and medium-sized businesses (SMBs) play a crucial role in the U.S. economy, making up 99.9% of all businesses and contributing to half of the nation's GDP. However, these vital economic growth drivers face an escalating threat—cyberattacks that could put them out of business. Read Now

  • The Yellow Brick Road

    The road to and throughout Wednesday's and Thursday's ISC West was crowded but it was amazing. Read Now

    • Industry Events
    • ISC West
  • An Inside Look From Napco at ISC West

    Get a look into the excitement at ISC West 2025 from Napco. Hear from some of their top-tech executives live from the show floor. Read Now

    • Industry Events
    • ISC West
  • Upping the Ante

    I am not a betting man in terms of cards, dice, blackjack or that wheel with the black marble racing around the circumference of a spinning wheel, but I would bet on the success of ISC West this year. Read Now

    • Industry Events
    • ISC West

New Products

  • 4K Video Decoder

    3xLOGIC’s VH-DECODER-4K is perfect for use in organizations of all sizes in diverse vertical sectors such as retail, leisure and hospitality, education and commercial premises.

  • PE80 Series

    PE80 Series by SARGENT / ED4000/PED5000 Series by Corbin Russwin

    ASSA ABLOY, a global leader in access solutions, has announced the launch of two next generation exit devices from long-standing leaders in the premium exit device market: the PE80 Series by SARGENT and the PED4000/PED5000 Series by Corbin Russwin. These new exit devices boast industry-first features that are specifically designed to provide enhanced safety, security and convenience, setting new standards for exit solutions. The SARGENT PE80 and Corbin Russwin PED4000/PED5000 Series exit devices are engineered to meet the ever-evolving needs of modern buildings. Featuring the high strength, security and durability that ASSA ABLOY is known for, the new exit devices deliver several innovative, industry-first features in addition to elegant design finishes for every opening.

  • Automatic Systems V07

    Automatic Systems V07

    Automatic Systems, an industry-leading manufacturer of pedestrian and vehicle secure entrance control access systems, is pleased to announce the release of its groundbreaking V07 software. The V07 software update is designed specifically to address cybersecurity concerns and will ensure the integrity and confidentiality of Automatic Systems applications. With the new V07 software, updates will be delivered by means of an encrypted file.