Cyber Incident Victim: Oregon Department of Human Services

On January 28, 2019, the Oregon Department of Human Services (DHS) experienced a data breach involving unauthorized access to nine employee email accounts compromised through a spear phishing attack. The DHS Enterprise Security Office Cyber Security team identified the breach on the same day, determining that attackers had infiltrated the mailboxes. The department promptly contained the incident by resetting the compromised account passwords, preventing further unauthorized access. An investigation was initiated to assess the scope of exposed data, focusing on identifying the number of impacted records containing personal information of clients served by DHS. The review revealed that approximately 2 million emails—housing Protected Health Information (PHI) of over 350,000 individuals—were potentially accessed by the attackers. The compromised data included first and last names, addresses, dates of birth, Social Security numbers, case numbers, and other details used to administer DHS programs.

Oregon DHS formally classified the incident as a data breach under Oregon’s Identity Theft Protection Act (ORS 646A.600 to 646A.628), acknowledging that PHI had been accessible to an unauthorized party. On March 22, 2019, the department established a toll-free information line (800-792-1750) to assist affected clients and announced plans to send breach notification letters via US mail. These notices included instructions for enrolling in free credit monitoring services. The breach did not disrupt DHS program operations, but the exposure of sensitive client data necessitated regulatory compliance and consumer protection measures. The department emphasized its commitment to privacy and cybersecurity in public communications while directing impacted individuals to additional resources for further guidance.