350,000 Patients, 2 Million Emails Exposed in Oregon DHS Phishing Attack

April 12, 2019


Nine employees of the Oregon Department of Human Services fell victim to a targeted phishing attack, breaching the personal and medical data via 2 million compromised emails, according to HealthITSecurity.


On January 28, Oregon DHS’ Enterprise Security Office Cyber Security team determined the email accounts were breached, according to officials. A third-party security team was hired to investigate the incident and determine what information was exposed in the cyberattack.


Officials determined that the phishing emails were sent to DHS employees on January 8. The employees clicked on the link and compromised the accounts, giving the hackers access to the employees’ email information.


The investigation revealed those accounts contained roughly 2 million emails, including the personal and medical data of its patients. The security team was able to stop the hacker’s access, and DHS is currently reviewing the incident and the specific information involved.

The exact number of patients impacted by the event has not yet been finalized. But DHS serves about 1.2 million clients. Once confirmed, the impacted patients will receive a notification.


The unauthorized person had access to client data, including full names, addresses, dates of birth, Social Security numbers, case numbers, and other administration information, according to officials. The investigation did not find evidence that the data was copied from the DHS system.


The breach is similar to the targeted phishing campaign that Minnesota’s Department of Human Services faced over the summer. Several employees fell victim, and officials did not discover the attack until months later. Just 21,000 patients were impacted, however, the hearing that followed highlighted two critical issues facing government agencies and healthcare: a lack of resources and staff to better prevent and detect phishing attacks.


A recent Barracuda report found that hackers are exploiting urgency and personalization in phishing attacks: 70 percent of phishing attacks attempt to establish rapport with victims. To combat this, a JAMA study determined that phishing education and training significantly reduced the likelihood that employees will open a malicious email.


HIPAAcraticRx provides just such training. Contact our team to educate your team to recognize the signs of suspicious emails, and to keep your practice’s ePHI safe.



Share on Facebook
Share on Twitter
Please reload

Featured Posts

How to Handle Breach Notifications

February 26, 2020

Please reload

Recent Posts
Please reload

Please reload

Search By Tags
Please reload

Follow Us
  • Facebook Basic Square
  • Twitter Basic Square
  • Google+ Basic Square

HIPAAcraticRx - The Prescription for HIPAA Compliance


20 Hempstead Turnpike, Farmingdale, New York 11735 . (516) 200-6610 . info@hipaacraticrx.com

  • White LinkedIn Icon
  • White Facebook Icon
  • White Twitter Icon
  • White Google+ Icon

© 2019 HIPAAcratic Rx -