[BreachExchange] More than 645, 000 Oregonians impacted by DHS data breach

Destry Winant destry at riskbasedsecurity.com
Wed Jun 19 10:11:08 EDT 2019


https://www.oregonlive.com/data/2019/06/more-than-645000-oregonians-impacted-by-dhs-data-breach.html

Personal data of more than 645,000 clients of Oregon’s Department of
Human Services was compromised during a January data breach, the
agency disclosed Tuesday. This number is significantly higher than the
agency’s original report in March that the number of people affected
“exceeded 350,000.”

The breached client information potentially includes first and last
names, addresses, dates of birth, Social Security numbers, case
numbers, personal health information and other information used in DHS
programs, the agency said in a news release. The personal health
information includes protected health information that is due special
protection under federal health privacy laws. Not all of these
information types were exposed for each person.

After discovering the breach in January, the department hired a team
of 70 attorneys and paralegals to read and sort the 2 million
susceptible emails, Jake Sunderland, the agency’s spokesperson said
Tuesday. When the department announced the breach in March, the legal
team still hadn’t finished their investigation, hence the much lower
figure of 350,000 clients impacted, he said. The department finished
the investigation earlier this week, he said.

The department said it will provide 12 months of identity theft
monitoring and recovery services, including a $1 million insurance
reimbursement policy, to individuals whose information was accessible.
A private firm with expertise in identity theft, MyIDCare, will
perform those services for affected clients, the news release said.

The data breach occurred as a result of a Jan. 8 email phishing
attempt when nine DHS employees opened and clicked on a phishing link,
thereby giving the sender access to their accounts. The compromised
accounts were secured by Jan. 28, the agency said.

DHS then hired an outside firm, ID Experts, for data analysis,
estimating that 2 million emails could have been made susceptible to
the scam. “The data breach affected clients from all five of our
divisions: Aging and People with Disabilities, Developmental
Disabilities, Child Welfare, Self-sufficiency and Vocational Rehab,”
Sunderland said.

The investigation by IDExperts cost the agency $485,000 and the credit
monitoring and other protections being offered to impacted clients
will cost $1,054,000. The cost to hire the outside lawyers and
paraprofessional was $30,000, Sunderland said.

The 645,000 people whose information was hijacked will be notified by
the department starting Wednesday. Sunderland said DHS clients should
watch their mail in the coming weeks, and if they receive a letter
from the agency, take action on the enclosed instructions to access
the data protection services immediately. For those who do receive
letters, Sunderland emphasized, “We haven’t come across any evidence
that the information exposed was viewed or used,” but the agency is
still providing protection services in the event that it has.

“If you don’t get a letter, you’re fine,” Sunderland said.


More information about the BreachExchange mailing list