Oregon Department of Human Services Breach Affects 645,000 Clients

Oregon Department of Human Services Breach Affects 645,000 Clients

In March, the department announced that 350,000 clients had been affected by a data breach in January 2019. On Tuesday, they updated the number and announced that 645,000 clients had been affected.

The personal data of more than 650,000 clients of Oregon’s Department of Human Services was compromised during a January data breach. The department announced in March that more than 350,000 clients had been impacted, but they were doing an investigation and had not finished yet. When the department completed the investigation this week, they concluded that the number of clients affected was much higher than the original figure released.

The compromised information could include first and last names, addresses, dates of birth, Social Security numbers, case numbers, personal health information, and other information used in DHS programs. Not all of these information types were exposed for each client, and it is unknown if the information was viewed or used inappropriately.

On Jan. 8, an email phishing attempt was sent to department employees, and nine employees opened and clicked on the phishing link, allowing the sender access to their accounts. The accounts were secured by Jan. 28. Following the breach, the department hired ID Experts, an outside firm, to investigate the emails affected by the scam. The team comprised 70 attorneys and paralegals who read through and sorted the 2 million susceptible emails.

Most of the personal information compromised was in email attachments. Pravin Kothari, founder and CEO of CipherCloud, said it’s surprising that the department did not have adequate protection against these types of attacks.

“What’s surprising is that the email attachments with sensitive PII and PHI data did not have any protection, and that Oregon DHS was just not prepared for such common attacks,” Kothari said. “Most organizations have their email systems migrated to the cloud, either Microsoft or Google. As more and more information and data, the “crown jewels” of any organization, migrate to cloud-based solutions, organizations just do not have visibility and control that they used to have within the enterprise perimeter.”

Jake Sunderland, the agency’s spokesperson, told The Oregonian the breach affected clients from all five of the department’s divisions: Aging and People with Disabilities, Developmental Disabilities, Child Welfare, Self-sufficiency and Vocational Rehab.

The department is providing 12 months of identity theft monitoring and recovery services, including a $1 million insurance reimbursement policy, to affected clients. The service is provided by ID Experts and is called MyIDCare.

Colin Bastable, the CEO of Lucy Security, said the fact the department was using email as a data storage solution stood out to him. He said there are technology, processes, and policies to ensure that breaches of this kind don’t happen.

“The offer of credit monitoring services is a box-tick, business-as-usual offer: but the adverse impacts of phishing attacks last much longer and reverberate much wider,” Bastable said. “Harvested data is sold, repackaged and resold multiple times on the Dark Web – the 645,000 Oregonians and their families and friends will be compromised and inconvenienced in some manner for years to come.”

The department will begin to send notifications with MyIDCare enrollment instructions Wednesday, June 19.

About the Author

Kaitlyn DeHaven is the Associate Content Editor for the Infrastructure Solutions Group at 1105 Media.

Featured

  • Survey Shows Election Anxiety Crosses Party Lines

    New reports of election worker intimidation are raising concerns about election interference. A majority of Americans (71%) are worried about voter intimidation or safety at the polls, and 75% want security cameras at their voting place, according to a new national survey. Read Now

  • 66 Percent of Cybersecurity Pros Say Job Stress is Growing

    Sixty-six percent of cybersecurity professionals say their role is more stressful now than it was five years ago, according to the newly released 2024 State of Cybersecurity survey report from ISACA, a global professional association advancing trust in technology. Read Now

  • Live from GSX 2024: Post-Show Recap

    Another great edition of GSX is in the books! We’d like to thank our great partners for this years event, NAPCO, LVT, Eagle Eye Networks and Hirsch, for working with us and allowing us to highlight some of the great solutions the companies were showcasing during the crowded show. Read Now

    • Industry Events
    • GSX
  • Research: Cybersecurity Success Hinges on Full Organizational Support

    Cybersecurity is the top technology priority for the vast majority of organizations, but moving from aspiration to reality requires a top-to-bottom commitment that many companies have yet to make, according to new research released today by CompTIA, the nonprofit association for the technology industry and workforce. Read Now

Featured Cybersecurity

Webinars

New Products

  • Connect ONE’s powerful cloud-hosted management platform provides the means to tailor lockdowns and emergency mass notifications throughout a facility – while simultaneously alerting occupants to hazards or next steps, like evacuation.

    Connect ONE®

    Connect ONE’s powerful cloud-hosted management platform provides the means to tailor lockdowns and emergency mass notifications throughout a facility – while simultaneously alerting occupants to hazards or next steps, like evacuation. 3

  • AC Nio

    AC Nio

    Aiphone, a leading international manufacturer of intercom, access control, and emergency communication products, has introduced the AC Nio, its access control management software, an important addition to its new line of access control solutions. 3

  • A8V MIND

    A8V MIND

    Hexagon’s Geosystems presents a portable version of its Accur8vision detection system. A rugged all-in-one solution, the A8V MIND (Mobile Intrusion Detection) is designed to provide flexible protection of critical outdoor infrastructure and objects. Hexagon’s Accur8vision is a volumetric detection system that employs LiDAR technology to safeguard entire areas. Whenever it detects movement in a specified zone, it automatically differentiates a threat from a nonthreat, and immediately notifies security staff if necessary. Person detection is carried out within a radius of 80 meters from this device. Connected remotely via a portable computer device, it enables remote surveillance and does not depend on security staff patrolling the area. 3