Just around 645,000 people’s personal information is now at risk from a January data breach at the Oregon Department of Human Services.
State officials announced the notifications Tuesday. They said they will start mailing notifications Wednesday.
Affected people were enrolled in the department’s welfare and children services programs at the time of the breach. Officials said the compromised data includes personal health information, but it’s unknown if was viewed or inappropriately used.
The state is also providing 12 months of identity theft monitoring and recovery services, which includes a $1 million insurance reimbursement policy to impacted individuals.
The breach happened during an email “phishing” attempt that targeted the department on Jan. 8. Nine employees opened the phishing email and clicked on a link that gave the perpetrator access to their email accounts.
The next day, the same nine workers started having problems with their accounts.
By Jan. 28, access to the nine accounts was stopped and the department and the Enterprise Security Office Cyber Security team confirmed the phishing incident was a data breach.
The initial review indicated that up to 2 million emails were involved in the breach. Due to the complex nature of the case and the vastness of the data, the state hired ID Experts, an outside firm to conduct an analysis.
State officials notified the public at large on March 21 after confirming the compromised data included personal information.
“While breaches of over a half million records is becoming a common occurrence that almost can go unnoticed,” said Rod Simmons, vice president at at STEALTHbits Technologies. “All of these users will get credit monitoring for a number of years but if we take a closer look something great happened from an IT perspective. Due to sufficient logging the Oregon Department of Human Services was able to provide a more clear picture of the extent of the breach. We can only hope no insurance companies leverage this stolen health information to increase premiums or deny coverage.”
“The scale of this breach is startling considering it was perpetrated through just nine successful phishing emails,” Willy Leichter, vice president at Virsec. “Many organizations still rely on ‘common sense’ of users not to click on phishing attempts, but that’s completely inadequate. We have to move to defenses that assume users will make mistakes but still protect critical applications and data.”
“Technology, processes and policies exist to prevent this type of breach. Healthcare is a highly-targeted industry for hacking and phishing because security is poor and the data is very valuable,” said Colin Bastable, chief executive of Lucy Security. “The offer of 12 months of credit monitoring services is a box-tick, business-as-usual offer: But the adverse impacts of phishing attacks last much longer and reverberate much wider. Harvested data is sold, repackaged and resold multiple times on the Dark Web – the 645,000 Oregonians and their families and friends will be compromised and inconvenienced in some manner for years to come.”
“The Oregon DHS breach is very typical of the news we hear continuously. It’s not surprising that phishing and account takeover, which are known as top threats to any organization, were exploited in this breach,” said Pravin Kothari, founder and chief executive at CipherCloud. “What’s surprising is that the email attachments with sensitive personal identifiable Information (PII) and personal health information (PHI) data did not have any protection, and that Oregon DHS was just not prepared for such common attacks. No matter what defensive measures security professionals put in place, today’s attackers are able to circumvent them. That’s a fait accompli. With this rise in hacking of cloud based emails and account takeovers, many organizations are bringing focus to cloud security and cloud data protection.
“Migration to the cloud presents many unique challenges in protecting your data, and has given rise to a new generation of security solution, Cloud Access Security Brokers (CASB), which has emerged with the sole purpose of protecting sensitive data while embracing cloud applications and services,” Kothari said. “An advanced CASB for Email with automated zero-trust, adaptive access control, and rights management capabilities could have avoided this breach.”