The Oregon Department of Human Services is notifying 350,000 individuals after learning that nine employees fell victim to a phishing attack.
The attack occurred on January 8, the state department believes, and on January 28, a cybersecurity team confirmed the breach had occurred.
After stopping unauthorized access to email boxes, the department now is reviewing the breach and the information involved. Possibly compromised information includes first and last names, addresses, dates of birth, Social Security numbers, case numbers and information used to administer DHS programs.
“The Department of Human Services takes privacy and the confidentiality of client information seriously, and has strong information technology security processes in place, which enabled the department to detect and contain the incident,” according to a public notice. “The department cannot confirm that any clients’ personal information was acquired from its email system or used inappropriately. However, it is notifying the public because information was accessible to an unauthorized person or persons.”
DHS also will formally notify the federal Department of Health and Human Services’ Office for Civil Rights, as required under federal breach notification rules.
While there is no indication that data was copied from the mail system or otherwise used inappropriately, the state’s department will offer credit monitoring and identity theft recovery services from IDExperts for any affected individuals.
Additional information was not immediately available.