Phishing Attack on Oregon Department of Human Services Impacts 350,000 People

A phishing attack on the Oregon Department of Human Services (ODHS) potentially resulted to the viewing or access of the protected health information (PHI) of over 350,000 people by unauthorized individuals.

ODHS found out on January 28, 2019 that unauthorized persons accessed email accounts that contain the personal information of its clients. The forensics specialists of IDExperts helped in the investigation to determine how many persons were affected, what are the types of data potentially accessed, and if the personal information of clients were extracted.

According to the investigators, nine employees clicked the links in received phishing emails and revealed their login details, thus the attackers were able to access their email accounts. The first account compromise was detected on January 8, 2019.

About 2 million emails were contained in the compromised email accounts. The investigators are still checking to know the particular individuals affected. ODHS has affirmed that the following information were found in the breached emails: first and last names of clients, addresses, dates of birth, case numbers, Social Security numbers, and data employed in administering ODHS programs.

There is no evidence uncovered by the investigators that indicate the attackers viewed or duplicated any PHI. However, it is not possible to rule out data access or theft.

The precise number of people impacted by the phishing attack is not yet finalized. After identifying all the victims, IDExperts will send breach notification letters via mail to them and will give more information on what should be done to safeguard against identity theft and fraud.

ODHS is giving all persons affected by the breach free credit monitoring and identity theft recovery services.