[BreachExchange] Oregon reveals data breach affected hundreds in welfare, children’s programs

Destry Winant destry at riskbasedsecurity.com
Fri Mar 22 08:54:30 EDT 2019


The Oregon agency that runs the state’s foster care and welfare
programs announced on Thursday afternoon that the personal information
of more than 350 people in those programs might have been comprised,
after a Jan. 28 data breach.

An unidentified attacker gained access to the state’s records after
nine employees at the Department of Human Services opened so-called
“phishing” emails and clicked on a link that allowed the outside party
to gain access to their state email accounts, according to a state
press release.

The state did not say specifically how many Oregonians might be
affected. It did say the breach involved their protected health
information. Examples of the types of information that might have been
compromised includes first and last names, addresses, dates of birth,
Social Security numbers and case numbers.

"At this point, it involves all of our programs,” agency spokesman
Robert Oakes said on Tuesday afternoon. “Primarily (the Aging and
People with Disabilities Program), child welfare, self-sufficiency and
vocational rehabilitation.” The agency is checking to see if
information was compromised in the program for children and adults
with intellectual and developmental disabilities, Oakes said.

The state hired a contractor, IDExperts, to perform a forensic review
to figure out the exact number and identities of Oregonians whose
information was exposed. Oakes said that firm will also contact the
people who were affected and inform them of the availability of free
credit monitoring services. The state notified news media of the
breach on Thursday in order to comply with a state law that requires
entities involved in a data breach to notify people who were affected
“in the most expeditious manner possible, without unreasonable delay.”

In a press release, Oregon House Republican Leader Rep. Carl Wilson
took the agency to task for not notifying the public sooner.

“Transparency continues to be a systemic problem at DHS," said Wilson,
of Grants Pass. “Protection of personal information they are required
to provide the state should be given the highest priority. Beyond
that, we’re seeing a growing accountability issue when DHS fails to
quickly inform the public about embarrassing matters.”

With more than 8,000 employees, the Department of Human Services is
the largest state agency, with programs including foster care, food
stamps and cash assistance also known as welfare.

Oregon state government has experienced several data breaches in
recent years. A year ago, Oregon’s tax agency revealed an employee had
copied the personal information of 36,000 people. There were also
security breaches at the Secretary of State’s office and Employment
Department in 2014 and the state data center in 2015.

More information about the BreachExchange mailing list