Employees of the Oregon DHS were targeted in a phishing attack that gave the cybercriminal control over as many as 2 million emails containing personal details such as Social Security numbers and health information.
The Department of Human Services (DHS) in Oregon today started notifying over half a million of its clients that their personal information was exposed to an unauthorized party in a data breach incident announced earlier this year, according to Bleeping Computer.
The compromise occurred on January 8, when nine DHS employees fell for a phishing email that provided the attacker access to the mailboxes.
A password reset initiated 20 days later stopped the hacker from further accessing the compromised email accounts and investigation confirmed that no malware was planted on the computer network.
Personal and Health Data Exposed
However, information from up to two million email messages and their attachments was exposed to an unsanctioned party between January 9 and January 28.
During this interval, the intruder was able to get first and last names, physical addresses, dates of birth, social security numbers (SSNs), case numbers, protected health information (PHI), and other details used in various DHS programs.
In total, information from about 645,000 individuals was exposed. According to the DHS website, the agency “provides direct services to more than 1 million Oregonians each year.”
“Starting June 19, 2019 the department is sending individual notices and enrollment instructions to those who have been impacted, including notices to clients whose personal health information may have been involved,” reads the notification from the department.
Most of the private details were available in email attachments. The department cannot say if any of the data was downloaded from the email system and used inappropriately.
Oregon DHS ID Protection
After confirming that sensitive information was involved, the Oregon DHS announced the breach and set up an incident call center. At that time, the agency knew for sure that over 350,000 people were impacted.
All impacted individuals benefit from 12 months of identity theft monitoring and recovery services free of charge through the MyIDCare service.
Anyone that needs assistance or more information about the incident and what can be done to minimize risks can call at (800) 792-1750, toll-free. Details are also available on this website.
IIascu, Ionut. (2019, June 19). Phishing Attack Exposes Data of 645,000 Oregon DHS Clients. Bleeping Computer.