The Oregon Department of Human Services (DHS) announced that roughly 2 million emails with Protected Health Information (PHI) from more than 350,000 customers have been potentially exposed after 9 employee mailboxes were compromised in a spear phishing attack.
According to the Oregon DHS, its Enterprise Security Office Cyber Security team was the one which determined that the email boxes were breached on January 28, 2019.
DHS also said that the attackers were stopped from further accessing the hacked mailboxes by resetting the passwords and that an investigation was started to review all the information that might have been exposed, as well as to pinpoint the exact "number of impacted records that might contain personal information of clients receiving services from DHS."
Forensic review of the data breach ongoing
After the attack was successfully stopped, "The agency has hired an outside entity, IDExperts, to perform a forensic review to clarify the number and identities of Oregonians whose information was exposed, and the specific kinds of information involved."
DHS states that the PHI impacted in the data breach "was accessible to an unauthorized person" and that the information "may include first and last names, addresses, dates of birth, Social Security numbers, case number and other information used to administer DHS programs."
Also, "The department cannot confirm that any clients’ personal information was acquired from its email system or used inappropriately. However, it is notifying the public because information was accessible to an unauthorized person or persons."
Despite that, DHS says that it considers the incident a data breach under Oregon’s Identity Theft Protection Act (ORS 646A.600 to 646A.628).
DHS had a security issue affecting employee e-mail accounts. Please see our announcement for what you need to know: https://t.co/KNWCnvNQ4l
— Oregon DHS (@OregonDHS) March 21, 2019
Toll-free information line available
Additionally, "the department will be offering identity theft recovery services for impacted individuals" and will send notices to all customers affected by the breach via a notification letter by US mail in the coming weeks "with instructions on how to register for the service, which includes free credit monitoring."
According to the Oregon DHS:
IDExperts has established a toll-free information line which will be available Friday (March 22, 2019) at (800) 792-1750 to assist DHS clients with more information. There is also an established website with information. http://ide.myidcare.com/oregonDHS
The Oregon DHS data breach notification also states that "The Department of Human Services takes privacy and the confidentiality of client information seriously and has strong information technology security processes in place, which enabled the department to detect and contain the incident."
Post a Comment Community Rules
You need to login in order to post a comment
Not a member yet? Register Now