Cyber Incident Victim: Oregon Department of Human Services

On March 6, 2020, the Oregon Department of Human Services (ODHS) identified a phishing incident that compromised a single staff member’s email account. The breach was discovered through internal security protocols, though specific detection methods were not disclosed. ODHS immediately secured the affected email account upon discovery to prevent further unauthorized access. The department initiated an investigation to assess the scope and potential data exposure, engaging unspecified third-party cybersecurity resources to assist. On March 20, 2020—two weeks after detection—ODHS publicly disclosed the incident via a press release, acknowledging that an unauthorized party had gained access to the email system. While the agency could not confirm whether client data was actually exfiltrated or misused, it determined that personal health information was potentially accessible during the breach window. This uncertainty stemmed from the nature of the compromise, which did not provide definitive evidence of data theft or viewing.

The incident exposed sensitive client information entrusted to ODHS, including private health data, though the exact number of affected individuals remained unspecified. In response, ODHS proactively notified the public and offered free credit monitoring services to potentially impacted clients as a precautionary measure. The department reported the breach to law enforcement agencies, though no further details about investigative partners or outcomes were provided. ODHS emphasized its commitment to data security and confidentiality in its communications, acknowledging the critical importance of safeguarding health information. No ransomware deployment, data destruction, or secondary attacks were reported in connection with the phishing incident. The agency’s transparency about the breach despite inconclusive evidence of data misuse reflected its adherence to notification protocols for potential privacy violations.