Nine employees of the Oregon Department of Human Services fell victim to a targeted phishing attack, breaching the personal and medical data via 2 million compromised emails, according to HealthITSecurity.
On January 28, Oregon DHS’ Enterprise Security Office Cyber Security team determined the email accounts were breached, according to officials. A third-party security team was hired to investigate the incident and determine what information was exposed in the cyberattack.
Officials determined that the phishing emails were sent to DHS employees on January 8. The employees clicked on the link and compromised the accounts, giving the hackers access to the employees’ email information.
The investigation revealed those accounts contained roughly 2 million emails, including the personal and medical data of its patients. The security team was able to stop the hacker’s access, and DHS is currently reviewing the incident and the specific information involved.
The exact number of patients impacted by the event has not yet been finalized. But DHS serves about 1.2 million clients. Once confirmed, the impacted patients will receive a notification.
The unauthorized person had access to client data, including full names, addresses, dates of birth, Social Security numbers, case numbers, and other administration information, according to officials. The investigation did not find evidence that the data was copied from the DHS system.
The breach is similar to the targeted phishing campaign that Minnesota’s Department of Human Services faced over the summer. Several employees fell victim, and officials did not discover the attack until months later. Just 21,000 patients were impacted, however, the hearing that followed highlighted two critical issues facing government agencies and healthcare: a lack of resources and staff to better prevent and detect phishing attacks.
A recent Barracuda report found that hackers are exploiting urgency and personalization in phishing attacks: 70 percent of phishing attacks attempt to establish rapport with victims. To combat this, a JAMA study determined that phishing education and training significantly reduced the likelihood that employees will open a malicious email.
HIPAAcraticRx provides just such training. Contact our team to educate your team to recognize the signs of suspicious emails, and to keep your practice’s ePHI safe.