SALEM, Ore. — Oregon's Department of Human Services (DHS) revealed on Thursday that the private data of more than 350,000 clients may have been accessed in a massive data breach that began earlier this year.
The agency said that the breach stemmed from a phishing scam that infected the emails of nine separate employees after they clicked a suspicious link. The link "compromised their email mailboxes," and allowed the scammers to access the employees' emails.
"Unfortunately, Protected Health Information under the Health Insurance Portability and Accountability Act (HIPAA) was compromised and potentially exposed," DHS said.
DHS had a security issue affecting employee e-mail accounts. Please see our announcement for what you need to know: https://t.co/KNWCnvNQ4l
— Oregon DHS (@OregonDHS) March 21, 2019
Officials have not yet been able to confirm that the personal information of any specific clients was taken during the breach, but the potential size of the breach — more than 350,000 — means that the agency is required to notify the public under Oregon law.
According to DHS, scammers may have had access to the first and last names, addresses, dates of birth, Social Security numbers, case numbers, and other information from thousands of clients.
"While there is no indication that any personal information was copied from its email system or used inappropriately, the department will be offering identity theft recovery services for impacted individuals," DHS said.
DHS discovered the breach on January 28, and believe that the phishing scam targeting DHS employees began on January 8.
The agency said that it has hired an outside company called IDExperts to look into the breach and find out exactly how many people may have been compromised — and what specific information may have been available on each client.
On Thursday afternoon, Oregon Republican lawmakers quickly released a statement panning DHS officials' handling of the breach.
“Transparency continues to be a systemic problem at DHS. Oregonians deserve better from government agencies and departments. Protection of personal information they are required to provide the state should be given the highest priority. Beyond that, we’re seeing a growing accountability issue when DHS fails to quickly inform the public about embarrassing matters,” said House Republican Leader Rep. Carl Wilson (R-Grants Pass).