The Oregon Department of Human Services (DHS) has disclosed a phishing attack on nearly two million department emails that potentially impacted more than 350,000 individuals' medical information.
“Unfortunately, protected Health Information under the Health Insurance Portability and Accountability Act (HIPAA) was compromised and potentially exposed,” the agency said in a news release.
On Jan. 28, DHS confirmed that a breach of regulated information had occurred, following a spear phishing email that was sent to DHS earlier in the month. Nine individual employees opened the phishing email and clicked on a link that compromised their email mailboxes and allowed access to these employees’ email information, according to DHS officials.
Individuals’ HIPAA data became accessible, and protected information may include first and last names, addresses, dates of birth, Social Security numbers, case number and other information used to administer DHS programs.
“While there is no indication that any personal information was copied from its email system or used inappropriately, the department will be offering identity theft recovery services for impacted individuals. DHS is in the process of determining whose information was affected by this breach,” according to officials.
The department is working with an outside entity, IDExperts, to perform a forensic review to clarify the number and identities of Oregonians whose information was exposed, and the specific kinds of information involved. Once that is confirmed, IDExperts will send individual notices to identified individuals, including notices to clients whose HIPAA-protected information was involved.
According to a story in the Cannon Beach Gazette, Robert Oakes, a department spokesman, said “the agency provides services to 1.6 million people, and the data breach could impact anyone from those involved in the foster care system, to those receiving food assistance to the elderly or disabled.”
Although the incident occurred in January, Oakes, when asked why the public wasn’t notified at the time, said it took time to go through the large number of emails to figure out what was exposed. “It just took time,” he said, according to the Cannon Beach Gazette story.