On March 6, the Oregon Department of Human Services (DHS) uncovered a phishing incident that affected on staff member’s email.
DHS takes the privacy and confidentiality of employee and client information seriously. Established information technology security processes enabled the agency to detect and contain the incident quickly and stop the unauthorized access.
A spear phishing email was sent to a DHS employee. The employee opened the phishing email and exposed their credentials to an outside entity. The agency cannot confirm that any client or employee’s personal information was copied or used inappropriately.
What DHS is doing about it
DHS is in the process of thoroughly reviewing the incident and the information involved. DHS plans to contract with an outside entity to clarify the number and identities of any individuals whose information was compromised, and the specific kinds of information involved. While there is no indication that any protected health information was copied or used inappropriately, DHS will notify any individuals whose information was compromised. DHS will provide identity theft protection services to potentially impacted employees and clients.
The security and confidentiality of private health information is critical to the Department of Human Services. While the department cannot confirm that any clients’ personal information was acquired from its email system or used inappropriately, it is notifying the public because information was accessible to an unauthorized person or persons.
DHS will provide updates as more information is known.