Oregon Department of Human Services Suffered a Data Breach
Personal data of more than 645,000 Oregon, Department of Human Services (DHS) were exposed during a data breach that occurred in January 2019, the department said yesterday.
The data breach was initially reported to the authorities when it was estimated that there were more than 350,000 people affected, a number that has been significantly revised.
The department disclosed in an official statement that the information in violation of the data included names, residential addresses, birth dates, social security codes, personal health data and other documents used by the DHS systems.
DHS has set up a team of 70 law enforcement officers after the discovery of the original violation data in January to explore up to 2 million potentially compromised e-mails, a spokesman said.
The investigation was not completed until the data breach was announced in March, so the estimated number of victims was around 350,000.
DHS has announced that it will propose a year of monitoring and reinstatement of identity theft, including a $ 1 million reimbursement policy for victims exposed to their confidential information. Services must be provided by identity theft specialists, MyIDCare, according to the press release.
The January data breach was due to a phishing campaign that prompted nine DHS workers to click on a fraudulent link giving access to hacking for employee accounts. These accounts are only secured at the end of January.
Jake Sunderland, a DHS spokesperson, said:
“The data breach affected clients from all five of our divisions: Aging and People with Disabilities, Developmental Disabilities, Child Welfare, Self-sufficiency, and Vocational Rehab,” Sunderland said.
“The investigation by ID Experts cost the agency $485,000 and the credit monitoring and other protections being offered to impacted clients will cost $1,054,000. The cost to hire the outside lawyers and para-professional was $30K,” he added.
Many breaches occur when employees click on links in emails from an outside source, unknowingly giving the sender access to their account, a practice known as “phishing.”
Violations mostly occur when employees click on links in emails from an external source, giving the sender access to their account, a practice known as phishing. This way, a tax agency employee copied 36,000 Oregonians’ tax data, including Social Security numbers, and stored that information on a personal cloud account.
The DHS violation occurred when nine employees clicked on suspicious links and exposed information. Interestingly, these employees had been trained in cybersecurity and confidentiality, including phishing, prior to the breach.
Employees of the Oregon Health Authority, which shares an IT department with DHS, also received training and listened to phishing danger messages before and after the January breach.
However, an employee of the Oregon State Hospital clicked on a phishing link in May and on the medical data of potentially exposed patients. The Oregon Health Authority is investigating the amount of information that may be at risk, said spokesman Robb Cowie.
According to a database of the Oregon Department of Justice, at least five other state entities, including the Oregon Institute of Technology, have discovered data breaches affecting 250 or more people since 2017. The agency list includes particularly confidential information about everything from taxes to medical care.
State officials recognize their responsibility to protect consumer data.
What should you do?
Clients in the Department of Human Services affected by the January breach will receive letters in the coming weeks to inform them and provide them with access to government-provided identity and credit monitoring services.
OSPIRG officials said that whether they are victims or not, they should take steps to protect their information, as these security breaches occur very frequently in businesses and governments.
Security and Data limit
- Ensure the amount of data you really need to provide to a website or third-party service?
- If the third-party wants to store your payment information, do not take the risk.
- This means that data thieves will not have access to this information in case of a data breach. Otherwise, they will not be able to use it if they access your account with stolen login information.
In addition to payment information, think if you really need to provide information to a third party, such as:
- Email address
- First Name and Surname
- Phone number
You might also want to think about what data you’re handing over just by using the service. Do not give the third-party the opportunity, but limit the information you give to third parties.