Last Tuesday, June 18, 2019, the Oregon Department of Human Services (DHS) disclosed the data breach affecting the agency. According to Oregon Live, the number of people affected by the privacy data breach exceeds 645,000. The report initially released by the agency last March 2019 significantly rose, with estimated numbers amounting to 350,000.
Following reports of the breach, the agency intends to email the public and the affected individuals starting Wednesday, June 19.
Based on the report by KPTV, the data breach happened in January 2019. Employees of the Department of Human Services received a phishing email dated January 8, 2019. After receiving the message, the news site reports that 9 employees opened the link.
After opening the link, employees reportedly allowed hackers access to company email accounts. However, on January 28, 2019, KPTV reports that unauthorized access to these emails ceased.
Apart from the 9 compromised accounts, no other accounts became affected. Based on the investigation by the Enterprise Security Office Cyber Security team, the agency systems did not contain traces of malware. Stateman Journal also notes that the same security team confirmed the incident as a data breach.
Oregon Live states that hackers obtained personal information such as first and last names as well as dates of birth. Other potential data mined include addresses, Social Security numbers, and personal health information.
The personal health data compromised includes Protected Health Information (PHI). KTVZ states that the PHI is included in the Health Insurance Portability and Accountability Act (HIPAA).
Stateman Journal notes that the initial report indicates 2 million accounts compromised. Dubbed as a complex case, the state of Oregon hired ID Experts to do further assessments. Despite mining this information, authorities remain in the dark about whether or not these data “was viewed or inappropriately used.”
The department only notified the public last March 21, 2019, after confirming that personal data became affected.
Oregon Live declares that following the incident, the department worked with a team of 70 lawyers and paralegals.
Besides this, the agency states that it will provide aid to affected individuals, with a $1 million insurance reimbursement policy. The policy will cover 12 months of identity theft monitoring and recovery services. MyIDCare will conduct these offerings for affected customers.
KTVZ reports that the Department of Human Services notified Equifax, Experian, and TransUnion after the breach.