Oregon Department of Human Services Breach Affects 645,000 Clients

Oregon Department of Human Services Breach Affects 645,000 Clients

In March, the department announced that 350,000 clients had been affected by a data breach in January 2019. On Tuesday, they updated the number and announced that 645,000 clients had been affected.

The personal data of more than 650,000 clients of Oregon’s Department of Human Services was compromised during a January data breach. The department announced in March that more than 350,000 clients had been impacted, but they were doing an investigation and had not finished yet. When the department completed the investigation this week, they concluded that the number of clients affected was much higher than the original figure released.

The compromised information could include first and last names, addresses, dates of birth, Social Security numbers, case numbers, personal health information, and other information used in DHS programs. Not all of these information types were exposed for each client, and it is unknown if the information was viewed or used inappropriately.

On Jan. 8, an email phishing attempt was sent to department employees, and nine employees opened and clicked on the phishing link, allowing the sender access to their accounts. The accounts were secured by Jan. 28. Following the breach, the department hired ID Experts, an outside firm, to investigate the emails affected by the scam. The team comprised 70 attorneys and paralegals who read through and sorted the 2 million susceptible emails.

Most of the personal information compromised was in email attachments. Pravin Kothari, founder and CEO of CipherCloud, said it’s surprising that the department did not have adequate protection against these types of attacks.

“What’s surprising is that the email attachments with sensitive PII and PHI data did not have any protection, and that Oregon DHS was just not prepared for such common attacks,” Kothari said. “Most organizations have their email systems migrated to the cloud, either Microsoft or Google. As more and more information and data, the “crown jewels” of any organization, migrate to cloud-based solutions, organizations just do not have visibility and control that they used to have within the enterprise perimeter.”

Jake Sunderland, the agency’s spokesperson, told The Oregonian the breach affected clients from all five of the department’s divisions: Aging and People with Disabilities, Developmental Disabilities, Child Welfare, Self-sufficiency and Vocational Rehab.

The department is providing 12 months of identity theft monitoring and recovery services, including a $1 million insurance reimbursement policy, to affected clients. The service is provided by ID Experts and is called MyIDCare.

Colin Bastable, the CEO of Lucy Security, said the fact the department was using email as a data storage solution stood out to him. He said there are technology, processes, and policies to ensure that breaches of this kind don’t happen.

“The offer of credit monitoring services is a box-tick, business-as-usual offer: but the adverse impacts of phishing attacks last much longer and reverberate much wider,” Bastable said. “Harvested data is sold, repackaged and resold multiple times on the Dark Web – the 645,000 Oregonians and their families and friends will be compromised and inconvenienced in some manner for years to come.”

The department will begin to send notifications with MyIDCare enrollment instructions Wednesday, June 19.

About the Author

Kaitlyn DeHaven is the Associate Content Editor for the Infrastructure Solutions Group at 1105 Media.

Featured

  • Security Today Launches 2023 Government Security Awards

    Security Today is proud to announce the launch of the 2023 Government Security Awards. The Govies honor outstanding government security products in a variety of categories. For this year’s awards program, participants can choose from 38 different categories to enter their product(s) into. Read Now

  • City Safe Partners Announces Scholarship Program for Dependents of Full-Time Employees

    • Guard Services
  • Back to the Basics

    Back to the Basics

    Security is a continuous evolution of practices and procedures. The developments in technology and advancements in threats make security difficult at times. Although security from one location may look different from another location, there is a common goal applied to security measures. The common goal is protection. Read Now

  • The Top Three Security Trends in 2023

    The Top Three Security Trends in 2023

    As security technology has become more widely used, the interest in new capabilities and increased security measures has increased. As we head into 2023, these three trends will shape the security landscape. Read Now

Featured Cybersecurity

New Products

  • Hanwha Techwin Wisenet XRN-6410DB4 / mXRN-3210B4

    Hanwha Techwin Wisenet XRN-6410DB4 / mXRN-3210B4

    Hanwha Techwin America, a global supplier of IP and analog video surveillance solutions, unveiled two new Wisenet X series NVRs that support the industry’s first video playback and recording of up to 8K super-high-resolution images. 3

  • LiftMaster Garage Door Opener

    LiftMaster Garage Door Opener

    LiftMaster Transforms the Garage Door Opener Into a Sleek Smart Home Device That Does More Than Open and Close the Garage Door 3

  • PACE® Long Range Ethernet Solutions

    PACE® Long Range Ethernet Solutions

    Altronix introduces the newest addition to its portfolio of PACE® Long Range Ethernet Solutions. 3