The Oregon Department of Human Services Thursday disclosed that millions of agency emails had been breached in January, exposing the personal medical information potentially hundreds of thousands.
The agency said it discovered the data breach involving 2 million emails on Jan. 8 and by Jan. 28 realized the emails included personal medical information protected under Health Insurance Portability and Accountability Act, otherwise known as HIPAA.
The agency hasn’t confirmed that any information was actually taken, just that it was exposed. Agency officials couldn’t readily explain why the public was being alerted two months later.
Spokesman Robert Oakes said the agency does not know how many peoples' information was exposed. Oakes said there is the potential for the breach to expose the information of at least 350,000.
When asked why the public wasn't notified in January, he said it just took time to go through the large number of emails to figure out what was exposed. When asked what happened in the two months since the discovery of the breach, Oakes declined to elaborate, saying “it just took time.”
“We want to make it publicly available out of an abundance of caution,” Oakes said.
The phishing scheme gained the perpetrators access to email records that included health information, according to a news release from the Department of Human Services.
Oakes said the agency provides services to 1.6 million people, and the data breach could impact anyone from those involved in the foster care system, to those receiving food assistance to the elderly or disabled.
Among the information compromised was social security numbers and dates of birth, Oakes said.
The agency has hired an outside firm, IDExperts, to review the issue and confirm the number of clients exposed in the breach and what information was compromised.
According to the release, nine DHS employees opened a spam email and clicked on a link which gave the hackers access to the employees’ email records. Those nine email boxes contained nearly two million emails. Those nine accounts were frozen on Jan. 8 as state experts worked to understand the issue, Oakes said.
The outside firm is now working to directly identify those whose information was exposed. It will then contact those people and inform them on how to protect themselves. Starting Friday, that firm will staff a call center and website where people who believe they are victims of the scheme can access information.