Oregon Dept. of Human Services confirms data breach

SALEM, Ore. (AP) – The Oregon Department of Human Services said Thursday that a data breach may have exposed the personal information of the 1.6 million residents the department serves.

The department said it isn’t sure exactly how many people had their information exposed after nearly 2 million employee emails were made vulnerable to unauthorized persons. Those emails could have contained sensitive client information, including full names and Social Security numbers.

The breach occurred in January after nine employees opened a phishing link that compromised their email boxes.

DHS says it hired an outside investigator to uncover how many records were impacted and how the information was used. Individuals whose information was exposed will be notified.

DHS manages a number of welfare agencies in the state.

—

News release from DHS:

(Salem, Ore.) – The Oregon Department of Human Services uncovered a phishing incident that affected e-mail records at the department. Unfortunately, Protected Health Information under the Health Insurance Portability and Accountability Act (HIPAA) was compromised and potentially exposed.

The agency has hired an outside entity, IDExperts, to perform a forensic review to clarify the number and identities of Oregonians whose information was exposed, and the specific kinds of information involved.

The Department of Human Services takes privacy and the confidentiality of client information seriously and has strong information technology security processes in place, which enabled the department to detect and contain the incident. The department cannot confirm that any clients’ personal information was acquired from its email system or used inappropriately. However, it is notifying the public because information was accessible to an unauthorized person or persons.

Although DHS has not confirmed that clients’ personal information was acquired during the incident, DHS considers the incident a breach under Oregon’s Identity Theft Protection Act (ORS 646A.600 to 646A.628). Therefore, this notification is provided in part as a substitute notice of a breach under Oregon’s Identity Theft Protection Act, because the class of affected consumers exceeds 350,000.

The facts are summarized below, along with protective measures the department has taken since discovering the incident and general guidance on protecting personal information.

What happened?

On January 28, 2019 DHS and Enterprise Security Office Cyber Security team confirmed that a breach of regulated information had occurred. Nine individual employees opened a phishing email and clicked on a link that compromised their email mailboxes and allowed access to these employees’ email information. Current information indicates on January 8th, a spear phishing email was sent to DHS employees. Through our process of discovery, we learned that there were nearly 2 million emails in those email mailboxes.

The unauthorized access to the affected email mailboxes was successfully stopped. DHS is in the process of thoroughly reviewing the incident and the information involved. This investigation includes clarifying the number of impacted records that might contain personal information of clients receiving services from DHS.

What information was involved?

Clients’ Protected Health Information under the Health Insurance Portability and Accountability Act (HIPAA) was accessible to an unauthorized person. Client information may include first and last names, addresses, dates of birth, Social Security numbers, case number and other information used to administer DHS programs.

What is the Department of Human Services doing?

The security and confidentiality of personal information is critical to the Department of Human Services. While there is no indication that any personal information was copied from its email system or used inappropriately, the department will be offering identity theft recovery services for impacted individuals. DHS is in the process of determining whose information was affected by this breach. Once confirmed, IDExperts will send individual notices to identified individuals, including notices to clients whose HIPAA-protected information was involved, with instructions on how to register for the service, which includes free credit monitoring.

Need more information?

DHS will provide updates as more information is known.

IDExperts has established a toll-free information line which will be available Friday (March 22, 2019) at (800) 792-1750 to assist DHS clients with more information. There is also an established website with information. http://ide.myidcare.com/oregonDHS

Concerned DHS clients may contact all three national consumer reporting agencies, including for a copy of a current credit report, at:

Equifax, TransUnion, and Experian

Website: AnnualCreditReport.com

Phone 877-322-8228 (Option 1)

Mailing Address:

Annual Credit Report Request Service

P.O. Box 105281

Atlanta, GA 30348-5281

Credit freeze: Consumers, including potentially affected DHS clients, have the option to freeze their credit reports for free. Parents may request a freeze of the credit report of a DHS client who is a child under the age of 16. The guardian, conservator, or person holding a valid power of attorney for a DHS client may also request a credit report freeze for that DHS client. Below is each company’s freeze contact information:

Equifax, (800) 349-9960 (Automated, Option 1) or (888) 298-0045 (Live)

TransUnion, (888) 909-8872 (Option 3)

Experian, (888) 397-3742 (Option 1 followed by Option 2)

As always, DHS clients are encouraged to report suspected identity theft to law enforcement, including the Oregon Attorney General’s Consumer Protection Division and the Federal Trade Commission.

For information on how to report suspected identity theft and for information about protecting your identity, visit:

The Oregon Attorney General’s Consumer Protection Division, which can be found online at: https://www.doj.state.or.us/consumer-protection/id-theft-data-breaches/data-breaches/

Federal Trade Commission consumer information on Privacy, Identity & Online Security, which can be found online at: https://www.consumer.ftc.gov/topics/privacy-identity-online-security

—

News release from the Oregon House Republican Office:

Data breach is the latest in a disturbing trend of questionable DHS management

Thousands of Oregonians had their personal information exposed in January

SALEM, Oregon – Once again the Department of Human Services’ failings are making headlines. This time the department that oversees protected health information for thousands suffered a data breach. Yet, nearly two months passed before DHS revealed that its system had been compromised, exposing social security numbers, birth dates and additional personal information. This risks identity theft and other criminal exploitation of this data.

In early January, nine employees opened phishing emails and clicked on a link that compromised their email accounts and allowed access to these employees’ email information. That led to the access of nearly 2 million emails. Outside investigators confirmed the hack on Jan. 28. But rather than immediately alerting the public that their information may have been stolen, DHS chose to wait, allowing time for criminals to harm thousands of unwitting Oregonians.

“Transparency continues to be a systemic problem at DHS. Oregonians deserve better from government agencies and departments. Protection of personal information they are required to provide the state should be given the highest priority. Beyond that, we’re seeing a growing accountability issue when DHS fails to quickly inform the public about embarrassing matters,” said House Republican Leader Rep. Carl Wilson (R-Grants Pass).