Nearly 650,000 clients of the Oregon Department of Human Services had their Protected Health Information (PHI) exposed in a cyber attack in early 2019.
PHI and PII data exposed in data breach
Oregon DHS says it recently completed months of forensic investigation into the breach and found that exposed information included some of the most sought after data on the Dark Web:
• Social Security numbers
• Personal Health Information (PHI)
• First and last names
• Addresses
• Dates of birth
Healthcare information breaches: more serious
This type of healthcare-related data breach can lead to serious consequences because it is inextricably linked to who people are, not just some randomly assigned account.
We interviewed Tamika Bass about the challenges of PHI at SecureWorld Atlanta. Bass is the Chief Information Security Officer (CISO) for the Georgia Department of Public Health.
"You can fix things that happen with your Social Security number, you can get a new credit card when your card information is compromised. But when your protected health information is compromised, it’s a totally different situation."
And Bass explains that her healthcare industry peers in each state have a lot to secure. In Georgia, it looks like this:
"We have 120 counties, 18 health districts, and about 70 applications that we are responsible for securing."
Cyber attack started with phishing
Oregon DHS also revealed new information on how hackers got access to agency inboxes. Employees gave hackers that access by falling for a phishing scam.
"The department was targeted by an email 'phishing' attempt. A phishing email was sent to department employees on January 8, 2019. Nine employees opened the phishing email and clicked on an internet link that gave the sender access to their email accounts.
Beginning January 9, 2019, these nine employees started reporting problems. All affected accounts were located and access to the nine affected accounts was stopped by January 28, 2019. On January 28, 2019, the department and the Enterprise Security Office Cyber Security team confirmed that the phishing incident was a data breach."
The department says "it has now closed access to the email web application involved" and claims that it "regularly trains its staff about recognizing phishing attacks."
Data breach nearly doubled in size
The Oregon DHS made an initial data breach announcement in March.
Since that time, a team of specialists determined the scope of the breach and increased the number of exposed clients from about 350,000 to approximately 650,000.
The agency is now sending this data breach notification to all of the clients who had their data exposed in this breach.
You can put this one down in the books as another successful phishing attack.
[Webinar Resource: 10 Incredible Ways You Can Be Hacked Through Email and How to Stop the Bad Guys]
