Oregon Department of Human Services

The Oregon Department of Human Services is a state government agency responsible for administering a range of public human services programs for residents of Oregon. Its operations involve the management and safeguarding of extensive volumes of sensitive client data, including protected health information, names, addresses, dates of birth, social security numbers, and program-specific case numbers. The scale of its data handling responsibilities is evidenced by a 2019 security incident where over two million emails containing information from more than 350,000 clients were potentially exposed following a spear phishing attack. This incident underscores the agency's critical role in maintaining confidential records for a substantial client base across various state-administered assistance programs.

The agency's distinguishing attribute is its stewardship of highly sensitive personal data, a responsibility that has been repeatedly challenged by sophisticated cyber attacks. Two documented phishing incidents, in 2019 and 2020, compromised multiple employee email accounts and highlighted persistent vulnerabilities in its email security posture. The 2019 breach, which involved nine mailboxes and potentially exposed data for hundreds of thousands of individuals, was classified under state identity theft laws and necessitated a significant public response, including a toll-free support line and offers of free credit monitoring. These events illustrate the agency's operational reality of managing a large, data-intensive portfolio of services while facing ongoing threats targeting its personnel and systems. The documented responses, such as mandatory password resets and public notifications, reflect established protocols for mitigating damage following a security compromise. The nature of the compromised information—including social security numbers and detailed case data—emphasizes the high stakes of its data protection mission.