The Oregon Department of Human Services last week disclosed that millions of agency emails had been breached in January, potentially exposing the personal medical information of hundreds of thousands of people.
The agency said it discovered the data breach involving 2 million emails on Jan. 8 and by Jan. 28 realized the emails included personal medical information protected under Health Insurance Portability and Accountability Act, known as HIPAA.
The agency hasn’t confirmed that any information was actually taken, but the hackers gained access to the emails. Agency officials couldn’t readily explain why the public was being alerted two months later.
Robert Oakes, a department spokesman, said the agency found there was the potential for the breach to impact at least 350,000 people.
Oregon’s Identity Theft Protection Act requires agencies to alert the public when there is potential to cross that 350,000 threshold. A more specific number should be available in about two weeks, Oakes said.
When asked why the public wasn’t notified in January, he said it took time to go through the large number of emails to figure out what was exposed. When asked what happened in the two months since the discovery of the breach, Oakes declined to elaborate, saying, “It just took time.”
“We want to make it publicly available out of an abundance of caution,” Oakes said.
The delay in informing the public, and the breach itself, caught the attention of Republicans in the Capitol long critical of the Department of Human Services.
“Nearly two months passed before DHS revealed that its system had been compromised, exposing Social Security numbers, birth dates and additional personal information,” House Republican spokesman Greg Stiles said in a news release. “This risks identity theft and other criminal exploitation of this data.”
The phishing scheme gained the perpetrators access to email records that included health information. Oakes said there weren’t specific files targeted, but some of the compromised emails included spreadsheets with personal information.
Oakes said the agency provides services to 1.6 million people, and the data breach could impact anyone from those involved in the foster care system, to those receiving food assistance to the elderly or disabled.
Among the information compromised was Social Security numbers and dates of birth, Oakes said.
The agency has hired an outside firm, IDExperts, to review the issue and confirm the number of people exposed in the breach and what information was compromised. That work will cost the state $480,000.
According to the news release, nine department employees opened a spam email which appeared to be from a government account. It asked recipients to click a link and log in with their email and password. That gave the hacker access to those nine accounts.
Oakes said the nine employees were spread throughout the agency. He didn’t know how many total employees received the email, but said it was “extensive.”
Oakes said all 8,500 department employees have to go through training to protect against security risks, which tells them to avoid anything questionable and provides resources they can seek if they fear an email could be a scheme. But this one was sophisticated, he said.
“It looked like something, depending on your role, that you would do through the normal course of business,” Oakes said.
Those nine email boxes contained nearly 2 million emails. The nine accounts were frozen on Jan. 8 as state experts worked to understand the issue, Oakes said.
The outside firm is now working to directly identify people whose information was exposed. It will then contact those people and inform them on how to protect themselves.