Salem, Ore. – The Oregon Department of Human Services uncovered a phishing incident that affected e-mail records at the department. Unfortunately, Protected Health Information under the Health Insurance Portability and Accountability Act (HIPAA) was compromised and potentially exposed.
The agency has hired an outside entity, IDExperts, to perform a forensic review to clarify the number and identities of Oregonians whose information was exposed, and the specific kinds of information involved.
The Department of Human Services takes privacy and the confidentiality of client information seriously and has strong information technology security processes in place, which enabled the department to detect and contain the incident. The department cannot confirm that any clients’ personal information was acquired from its email system or used inappropriately. However, it is notifying the public because information was accessible to an unauthorized person or persons.
Although DHS has not confirmed that clients’ personal information was acquired during the incident, DHS considers the incident a breach under Oregon’s Identity Theft Protection Act (ORS 646A.600 to 646A.628). Therefore, this notification is provided in part as a substitute notice of a breach under Oregon’s Identity Theft Protection Act, because the class of affected consumers exceeds 350,000.
The facts are summarized below, along with protective measures the department has taken since discovering the incident and general guidance on protecting personal information.
On January 28, 2019 DHS and Enterprise Security Office Cyber Security team confirmed that a breach of regulated information had occurred. Nine individual employees opened a phishing email and clicked on a link that compromised their email mailboxes and allowed access to these employees’ email information. Current information indicates on January 8th, a spear phishing email was sent to DHS employees. Through our process of discovery, we learned that there were nearly 2 million emails in those email mailboxes.
The unauthorized access to the affected email mailboxes was successfully stopped. DHS is in the process of thoroughly reviewing the incident and the information involved. This investigation includes clarifying the number of impacted records that might contain personal information of clients receiving services from DHS.
What information was involved?
Clients’ Protected Health Information under the Health Insurance Portability and Accountability Act (HIPAA) was accessible to an unauthorized person. Client information may include first and last names, addresses, dates of birth, Social Security numbers, case number and other information used to administer DHS programs.
What is the Department of Human Services doing?
The security and confidentiality of personal information is critical to the Department of Human Services. While there is no indication that any personal information was copied from its email system or used inappropriately, the department will be offering identity theft recovery services for impacted individuals. DHS is in the process of determining whose information was affected by this breach. Once confirmed, IDExperts will send individual notices to identified individuals, including notices to clients whose HIPAA-protected information was involved, with instructions on how to register for the service, which includes free credit monitoring.
Need more information?
DHS will provide updates as more information is known.
IDExperts has established a toll-free information line which will be available Friday (March 22, 2019) at (800) 792-1750 to assist DHS clients with more information. There is also an established website with information. http://ide.myidcare.com/oregonDHS
Concerned DHS clients may contact all three national consumer reporting agencies, including for a copy of a current credit report, at:
Equifax, TransUnion, and Experian
Phone 877-322-8228 (Option 1)
Annual Credit Report Request Service
P.O. Box 105281
Atlanta, GA 30348-5281
Credit freeze: Consumers, including potentially affected DHS clients, have the option to freeze their credit reports for free. Parents may request a freeze of the credit report of a DHS client who is a child under the age of 16. The guardian, conservator, or person holding a valid power of attorney for a DHS client may also request a credit report freeze for that DHS client. Below is each company’s freeze contact information:
Equifax, (800) 349-9960 (Automated, Option 1) or (888) 298-0045 (Live)
TransUnion, (888) 909-8872 (Option 3)
Experian, (888) 397-3742 (Option 1 followed by Option 2)
As always, DHS clients are encouraged to report suspected identity theft to law enforcement, including the Oregon Attorney General’s Consumer Protection Division and the Federal Trade Commission.
For information on how to report suspected identity theft and for information about protecting your identity, visit:
The Oregon Attorney General’s Consumer Protection Division, which can be found online at: https://www.doj.state.or.us/consumer-protection/id-theft-data-breaches/data-breaches/
Federal Trade Commission consumer information on Privacy, Identity & Online Security, which can be found online at: https://www.consumer.ftc.gov/topics/privacy-identity-online-security
Press release provided from Oregon Department of Human Services.