Frequently Asked Questions
On January 28, 2019, the Department of Human Services and the Department of Administrative Services Enterprise Security Office confirmed that sensitive information may have been accessed through targeted phishing. Nine individual employees opened a spear phishing email and clicked on a link that compromised their email boxes, allowing the malicious sender to potentially access email information.
Because DHS takes privacy and the confidentiality of client information seriously, the department has information technology security processes in place, which enabled the department to detect and contain the incident.
When did this happen?
DHS became aware on January 28, 2019 that information might have been compromised when they began hearing from DHS employees whose mailboxes had been accessed. Passwords were immediately reset to stop access, and security officials began investigating to determine the scope of the incident and the specifics of the information involved.
What personal information was exposed?
The information may have included first and last names, addresses, birth dates, Social Security numbers, case numbers and other information used in DHS programs. It also may have included personal health and other information.
Was the information protected/encrypted?
Information was encrypted at the server, storage and desktop levels. But the phishing incident meant that data in the email boxes could be seen.
How many people are involved?
There are about 645,000 people involved.
Who is the State of Oregon, DHS? I don’t remember that name or I never went there.
DHS Programs are: Child Welfare, Self-Sufficiency Programs, Aging and People with Disabilities, Vocational Rehabilitation, Office of Developmental Disabilities Service and Oregon Health Plan eligibility.
Have the police have been notified? If so, with which police department?
The Oregon State Police were notified.
How can I have my information removed from the server/directory?
I understand your concern. Due to state and federal regulations records must remain on file.
Why didn’t you tell affected individuals about the loss of the data sooner?
With any such event, it takes time to investigate if an incident even occurred, gather the relevant information, identify the affected individuals and make the appropriate decisions to line-up the services that are being offered to identified affected individuals. While access to the email boxes was successfully stopped, it took time to thoroughly review the nearly two million emails involved and determine the number of emails that might contain personal information of clients receiving services from DHS. DHS put out a media release on March 21 to make the public aware while the review was underway to identify who needed an individual notification.
What is the State of Oregon, DHS doing to prevent this kind of loss from happening again?
The security and confidentiality of personal information is critical to DHS. Security updates and patching are kept up-to-date; independent vendor security assessments are performed; and industry leading software is used to be proactive on targeted attacks. To minimize the risk of this type of event, the email web application is currently shutdown, mandatory, continuing education of users about phishing attacks, and continuous improvement of processes involved in detecting and responding to phishing attacks is ongoing.
While there is no indication that any personal information was used inappropriately, the department is offering identity theft recovery services for potentially impacted individuals. A cyber security vendor, ID Experts, is sending individual notices to identified individuals, including notices to clients whose HIPAA protected information was involved, with instructions on how to register for services, which includes free credit monitoring.
ID Experts has also established a toll-free information line at 800-792-1750.
If there are any updates regarding this letter, how will I be notified?
Please check the special website set up for DHS data breach information: https://ide.myidcare.com/oregondhs.
Has the information been misused?
At this time, there is no evidence that there has been any use or attempted use of the information exposed in this incident.
I am not listed in your system; however, I would like information regarding this incident.
I appreciate your concern. Unfortunately, I am unable to provide information except to those individuals that have received a notification letter.
What are the risks of identity theft with the information that was exposed?
Receiving a letter does not mean that you are a victim of identity theft. We are recommending that people review their letter and the recommendations provided.
Is there anything I need to do to in response to the exposure of my personal information?
Once you are enrolled in the ID Experts membership, you may also take advantage of your rights to the free fraud alert services offered by the three major credit bureaus. Placing fraud alerts will provide your credit with additional protection. In addition, doing so will give you access to copies of each of your credit reports at no cost to you.
My [spouse/child/family member/partner] has passed away and I handle their affairs. Can you speak/assist me regarding this letter?
Yes, ID Experts can help.
I am with (Media); can you provide me with further information about the recent data breach with State of Oregon, DHS?
Media questions should go to DHS Communications at 503-945-6331 or Communications.DHS@dhsoha.state.or.us.
Is the letter legitimate? I’m worried this is a scam.
I can assure you the letter is legitimate and not a scam. You can check us out at www.oregon.gov/dhs. DHS is committed to protecting individuals’ security and privacy and takes this incident very seriously. We regret any inconvenience this may cause you.