Oregon Agency's Breach Tally Nearly DoublesState's Department of Human Services Now Says 645,000 Affected
(This story has been updated.)
The number of individuals affected by a phishing-related breach disclosed in March by the Oregon Department of Human Services has nearly doubled, according to a new notification statement, which offers more details.
In a statement issued Tuesday, the Oregon Department of Human Services says it's mailing notices to 645,000 clients, notifying them that their personal information was compromised during a January phishing incident, which was previously announced by the agency on March 21.
"It is not known if the compromised information, which includes personal health information, was viewed or used inappropriately," the agency's new statement states.
In March, the department, which provides services to children, adults, families, seniors and those with disabilities, had estimated that at least 350,000 clients had their data potentially exposed in the breach.
The department is providing 12 months of prepaid identity theft monitoring and recovery services to individuals whose information was accessible, the agency adds.
The Oregon DHS says its employees were targeted by a phishing campaign on Jan. 8. "Nine employees opened the phishing email and clicked on an internet link that gave the sender access to their email accounts. Beginning Jan. 9, these nine employees started reporting problems," the newly issued statement notes.
"All affected accounts were located and access to the nine affected accounts was stopped by Jan. 28," the notice states. That same day, the department and its enterprise security office's cybersecurity team confirmed that the phishing incident resulted in a data breach, the agency says.
"The investigation confirmed that no other email accounts had been compromised and that no malware had been installed on department desktop computers or laptops," the statement says.
Initial review of the incident indicated up to 2 million emails might be involved. After the breach was contained, the department began its electronic forensic investigation and analysis to identity exactly what data was compromised, it says.
"Due to the exceedingly large amount of data and its complexity, the state determined that it would be appropriate to hire an outside firm, ID Experts, for data analysis."
Once it was confirmed that the compromised data included personal information, the department says it created an incident call center and website with information about the breach.
"Most client information involved in the breach was in email attachments, like reports. The exposed client information includes first and last names, addresses, dates of birth, Social Security numbers, case numbers, personal health information and other information used in DHS programs," the agency says.
Discrepancy in Reporting?
Although the Oregon agency initially disclosed March 21 that the breach impacted at least 350,000 individuals, the U.S. Department of Health and Human Services' HIPAA Breach Reporting Tool shows that the breach was reported one day later - on March 22 - to HHS' Office for Civil Rights as a "hacking/IT incident" involving a business associate, impacting email and affecting only 500 individuals.
Based on the revised total of 645,000 individuals affected, the Oregon incident could be the third largest health data breach added to the so called "wall of shame" in 2019 once the number of victims is adjusted.
As of Thursday, the largest health data breach added this year to the federal tally was an incident that involved Puerto Rico-based clearinghouse and cloud software services provider Inmediata Health Group, which affected nearly 1.6 million individuals.
Oregon DHS Responds
An Oregon DHS spokesman tells ISMG that the breach victim tally nearly doubled between March and June because the agency issued its March 21 statement "before we had fully identified the actual number of affected clients."
Oregon law defines a number of thresholds and required types of notifications depending on the size of the breach, he says. "When we believed that the number of impacted consumers would be at least 350,000, we issued the press release as part of a substitute notice of a breach under Oregon's Identity Theft Protection Act."
The new 645,000 figure is the final count for affected individuals, the spokesman says. "We have completed our investigation into the data exposed and the number of clients affected by the breach," he says.
Oregon DHS is now sending notification letters to all those affected, he adds. "The public notification in March was a substitute breach notification under Oregon's Identity Theft Protection Act and served as breach notification until all affected clients were identified."
So why was there a three month lag between the initial public disclosure of the breach, and the finally breach tally? "There were 2 million emails that our teams had to review before we could determine the final number of impacted clients, the types of information impacted and the identity of those clients," the spokesman says. "We had a team of 70 attorneys and paralegals who had to read every one of those 2 million emails and attachments."
The spokesman adds: "We have not found any evidence that the information was actually viewed or used inappropriately. We know that there was a window open, but we haven't seen any evidence that someone looked into the window or took anything out of it."
Oregon DHS has taken a series of steps to prevent security incidents, the spokesman says, including:
- Requiring all employees to take annual security and privacy awareness training;
- Keeping security updates and patching up to date;
- Performing independent vendor security assessments;
- Deploying "industry leading software" for identifying and preventing targeted attacks;
- Working with its enterprise security office to continually improve security processes and practices.