The Oregon Department of Human Services reported an email phishing attack on two million agency emails, which may have exposed more than 350,000 individuals' medical information.
HIPAA-protected medical information of at least 350,000 Oregonians that may have been affected includes names, addresses, Social Security numbers, dates of birth and case numbers, according to a news release.
On Jan. 8, Oregon DHS employees received a phishing email. Nine employees opened the email and clicked on a link, which gave unauthorized users access to the employees' email information and compromised their email mailboxes that collectively contained nearly two million emails.
Oregon DHS provides services to 1.6 million people, and the data breach could affect individuals involved in foster care or the state's food assistance system as well as any elderly or disabled people, agency spokesman Robert Oakes told the Cannon Beach Gazette.
The agency hired third-party firm IDExperts to investigate the security breach, which concluded there is no indication that any personal information has been used inappropriately as a result of the breach. Oregon DHS is in the process of identifying clients who have been affected by the cyberattack, and IDExperts will mail letters to notify those individuals. Oregon DHS will also provide identity theft recovery services for those affected.