The Oregon Department of Human Services Thursday disclosed that millions of agency emails had been breached in January, potentially exposing the personal medical information of hundreds of thousands.
The agency said it discovered the data breach involving 2 million emails on Jan. 8 and by Jan. 28 realized the emails included personal medical information protected under Health Insurance Portability and Accountability Act, otherwise known as HIPAA.
The agency hasn’t confirmed that any information was actually taken, but the hackers gained access to the emails. Agency officials couldn’t readily explain why the public was being alerted two months later.
Spokesman Robert Oakes said the agency does not know how many peoples’ information was exposed. Oakes the agency ruled there was potential for the breach to impact at least 350,000 clients. Oregon’s Identity Theft Protection Act requires agencies to alert the public when there is potential to cross that 350,000 threshold. A more specific number should be available in about two weeks, Oakes said.
When asked why the public wasn’t notified in January, he said it took time to go through the large number of emails to figure out what was exposed. When asked what happened in the two months since the discovery of the breach, Oakes declined to elaborate, saying, “It just took time.”
“We want to make it publicly available out of an abundance of caution,” Oakes said.
The delay in informing the public, and the breach itself, caught the attention of Republicans in the Capitol, long critical of DHS.
“Nearly two months passed before DHS revealed that its system had been compromised, exposing social security numbers, birth dates and additional personal information,” House Republican spokesman Greg Stiles said in a news release. “This risks identity theft and other criminal exploitation of this data.”
The phishing scheme gained the perpetrators access to email records that included health information, according to a news release from the Department of Human Services. Oakes said there weren’t specific files targeted, but some of the compromised emails included spreadsheets with personal information.
Oakes said the agency provides services to 1.6 million people, and the data breach could impact anyone from those involved in the foster care system, to those receiving food assistance, to the elderly or disabled.
Among the information compromised was Social Security numbers and dates of birth, Oakes said.
The agency has hired an outside firm, IDExperts, to review the issue and confirm the number of clients exposed in the breach and what information was compromised. That work will cost the state $480,000.
According to the release, nine DHS employees opened a spam email which appeared to be from a government account. It asked recipients to click a link and login with their email and password. That gave the hacker access to those nine accounts.
Oakes said the nine employees were spread throughout the agency. He didn’t know how many total employees received the email, but said it was “extensive.”
Oakes said all 8,500 DHS employees have to go through training to protect against this sort of thing, which tells them to avoid anything questionable and provides resources they can seek if they fear an email could be a scheme. But this one was sophisticated, he said.
“It looked like something, depending on your role, that you would do through the normal course of business,” Oakes said.
Those nine email boxes contained nearly two million emails. Those nine accounts were frozen on Jan. 8 as state experts worked to understand the issue, Oakes said.
The outside firm is now working to directly identify those whose information was exposed. It will then contact those people and inform them on how to protect themselves.
Starting Friday, people who are worried their information was involved can call 800-792-1750 or go to http://ide.myidcare.com/oregonDHS for help.