Phishing Attack on Oregon DHS Potentially Affects 350K Individuals

March 26, 2019

The Oregon Department of Human Services (DHS) has disclosed a phishing attack on nearly two million department emails that potentially impacted more than 350,000 individuals' medical information.

“Unfortunately, protected Health Information under the Health Insurance Portability and Accountability Act (HIPAA) was compromised and potentially exposed,” the agency said in a news release.

On Jan. 28, DHS confirmed that a breach of regulated information had occurred, following a spear phishing email that was sent to DHS earlier in the month. Nine individual employees opened the phishing email and clicked on a link that compromised their email mailboxes and allowed access to these employees’ email information, according to DHS officials.

Individuals’ HIPAA data became accessible, and protected information may include first and last names, addresses, dates of birth, Social Security numbers, case number and other information used to administer DHS programs.

“While there is no indication that any personal information was copied from its email system or used inappropriately, the department will be offering identity theft recovery services for impacted individuals. DHS is in the process of determining whose information was affected by this breach,” according to officials.

The department is working with an outside entity, IDExperts, to perform a forensic review to clarify the number and identities of Oregonians whose information was exposed, and the specific kinds of information involved. Once that is confirmed, IDExperts will send individual notices to identified individuals, including notices to clients whose HIPAA-protected information was involved.

According to a story in the Cannon Beach Gazette, Robert Oakes, a department spokesman, said “the agency provides services to 1.6 million people, and the data breach could impact anyone from those involved in the foster care system, to those receiving food assistance to the elderly or disabled.”

Although the incident occurred in January, Oakes, when asked why the public wasn’t notified at the time, said it took time to go through the large number of emails to figure out what was exposed. “It just took time,” he said, according to the Cannon Beach Gazette story.

Sponsored Recommendations

How Digital Co-Pilots for patients help navigate care journeys to lower costs, increase profits, and improve patient outcomes

Discover how digital care journey platforms act as 'co-pilots' for patients, improving outcomes and reducing costs, while boosting profitability and patient satisfaction in this...

5 Strategies to Enhance Population Health with the ACG System

Explore five key ACG System features designed to amplify your population health program. Learn how to apply insights for targeted, effective care, improve overall health outcomes...

A 4-step plan for denial prevention

Denial prevention is a top priority in today’s revenue cycle. It’s also one area where most organizations fall behind. The good news? The technology and tactics to prevent denials...

Healthcare Industry Predictions 2024 and Beyond

The next five years are all about mastering generative AI — is the healthcare industry ready?