The Oregon Department of Human Services (ODHS) is making contact with 645,000 clients to advise them that a portion of their personal information was possibly impacted due to a phishing attack.
The phishing attack took place beginning on January 9, 2019 and lead to nine ODHS members of staff visiting links in emails and disclosing their login details.
ODHS and the Department of Administrative Services Enterprise Security Office identified the data violation the breach on January 28 after being contacted by members of staff who thought that their email accounts had been compromised. All compromised email accounts were swiftly identified and remote access to the accounts was disabled that very day.
An investigation was begun to ascertain what took place and what protected health information may have been viewed and who individuals had been affected. That review has taken some time to conduct as it involved checking around 2m separate emails.
The hackers logged into the compromised accounts and could access emails in the accounts for a period of 19 days. ODHS has confirmed that no malware was installed by the cybercriminals but they may have viewed or obtained PHI such as names, contact data, Social Security numbers, case identifiers, and sensitive health information.
ODHS uploaded a substitute breach notice to its website and created a call center where affected individuals could find out more about the breach on March 21, when it became clear that PHI was involved. However, individual breach notifications were not shared until June 21.
ODHS manages programs linked to child welfare, individuals with disabilities, and seniors and deals with some of the most vulnerable citizens in the state. To ensure that those individuals come to no harm due to the breach, ODHS has paid for a $1 million identity theft reimbursement insurance policy and is offering all affected citizens 12 months of free credit monitoring and identity theft recovery services to allow for some peace of mind.
Robert Oakes, spokesperson for ODHS referred to this as an “extremely sophisticated email attack.”
Since the attack, ODHS has shut access to the email web application that was accessed and will continue to conduct internal security audits to flaws and will subject those vulnerabilities to a HIPAA-compliant risk management process. Additional Training is already being given to staff on security awareness and efforts will continue to educate the workforce about the damage caused by phishing.