The Oregon Department of Human Services disclosed on Tuesday, June 18 that it would soon be notifying about 645,000 clients whose sensitive personal information, such as names, dates of birth, addresses and even case numbers were potentially compromised when a DHS employee fell victim to a “phishing” scheme in January of this year.
The Advocate reported on DHS’ initial admission of this incident in March, after the department hired a firm, IDExperts, to conduct a forensic examination of the breach and help assist affected clients. It was unclear at that time how many people were affected, but IDExperts’ contract stated payment of $480,000 for up to one million people, with the option to expand if the exposure is beyond one million. The affected include those enrolled in the department’s welfare and children’s services programs when the data breach occurred.
“Phishing” is one of the oldest types of email scams, where a message seems legitimate but its goal is to harvest login and access information from whoever uses the links inside. DHS says that their employees undergo training to prevent such breaches, but in March, DHS spokesperson Robert Oakes described the attack as “extremely sophisticated.”
That the data was exposed was confirmed, but it is unclear whether any of this sensitive information was viewed or used. The state is drawing from a $1 million insurance reimbursement policy to offer 12 months of identity theft protection and credit monitoring services to those affected.
By Ian MacRonald