Oregon DHS hit by massive phishing attack, 645K accounts compromised

Fox News, June 20, 2019, with comments from Willy Leichter;

645,000 of 1,000,000 Oregon clients of Department of Human Services had PHI exposed

Last week, the Oregon Department of Human Services (DHS) had to inform about 645,000 of their clients that their protected health information (PHI) was compromised. The DHS serves 1,000,000 Oregon residents annually, who were victims of a phishing attack that began in January.

Hackers prepare a phishing email by making it look authentic in every way, and as though it’s from someone the receiver knows. The email has a fake link in it that usually links to website that is fake but looks legitimate. The site is set up to coax the victim into revealing their confidential user information. Once the hackers have stolen the information – login info, passwords, credit card data and more – they can access all the user’s private information.

Nine Employees Clicked Phishing Link, Open Gates to Hackers

The phishing email was sent to the company on January 8, 2019. Nine employees clicked the fraudulent phishing link, which inadvertently revealed their login credentials. The hackers then gained access to the employees’ email accounts, messages and attachments. But DHS didn’t realize they had been breached right away. They first realized something was wrong when the nine employees who clicked on the phishing link began reporting problems the next day. But it wasn’t until January 28 that the email accounts where shut down. It took that amount of time for the department, along with outside help from the Enterprise Security Office Cyber Security team, to confirm the phishing attack was a data breach.

At first, they believed up to 2 million emails had been affected by the breach. The state brought in outside help to perform analysis.

The 19-day delay between realizing the phishing attack and closing the email accounts is a notable time gap. And all the more damaging to the company because users had relied on email to save and store confidential documents as attached, unsecured and vulnerable. More can be and should be done to protect this information, especially being in the healthcare field.

DHS made their initial announcement of the compromise to the public March 21, as well as shared the information with TransUnion, Experian and Equifax (credit reporting agencies).

“The scale of this breach is startling considering it was perpetrated through just nine successful phishing emails,” Willy Leichter, VP at Virsec, told Fox News in a statement. “Many organizations still rely on the ‘common sense’ of users not to click on phishing attempts, but that’s completely inadequate.”

Leichter also added to ISS Source, “We have to move to defenses that assume users will make mistakes but still protect critical applications and data.”

Stolen PHI Can Wreak Havoc for a Long Time

Oregon residents affected by the breach were enrolled in programs in the department’s welfare and children’s services when the breach happened. PHI data was compromised but it’s not certain yet whether the hackers viewed the information or have begun using it fraudulently.

The sensitive nature of the exposed data, if misused, is of the sort that could plague the data owners for years to come – such as their names, addresses, birth dates, Social Security numbers, case numbers, personal information about their health and other information in the DHS system.

Stolen personal data is a well-used product on the Dark Web. It’s bought and sold over and over. For all the 645,000 victims in Oregon, and their families, they could be impacted by this data being compromised for a long time.

Oregon DHS is giving the victims 12 months of identity theft monitoring and recovery services.

Read full Oregon DHS hit by massive phishing attack article

Read full Phishing Attack at OR Human Services article

Additional source

Further resources:


Microsoft Bluekeep Flaw Threatens Medical Devices, IoT

The 2019 Verizon Data Breach Investigative Report Is Out – Shows Major Perimeter Weaknesses for Enterprises

Marriott reports massive data breach of 500 million of its Starwood guest records

White paper:
Solution Brief: Protection Against Advanced Web Attacks

Timeline of Major Breaches in 2018

Newsletter: June issue