The Oregon Department of Human Services Thursday, March 21, disclosed that millions of agency emails had been breached in January, exposing the personal medical information potentially hundreds of thousands of people.

Agency officials said it discovered the data breach involving 2 million emails on Jan. 8 and by Jan. 28 realized the emails included personal medical information protected under Health Insurance Portability and Accountability Act, otherwise known as HIPAA. The agency hasn’t confirmed that any information was actually taken, just that it was exposed. Agency officials couldn’t readily explain why the public was being alerted two months later.

The exact number of people affected by the breach hasn’t been calculated. Agency spokesman Robert Oakes said DHS does not know how many peoples’ information was exposed, but the number could reach at least 350,000. Oakes said the public wasn’t notified in January because it took time to go through the large number of emails to figure out what was exposed. “We want to make it publicly available out of an abundance of caution,” he said.

A phishing scheme

The phishing scheme gained the perpetrators access to email records that included health information, according to a news release from the Department of Human Services. Agency services are provided to about 1.6 million people, and the data breach could impact anyone from people involved in the foster care system, to those receiving food assistance to the elderly or disabled.

Among the information compromised was Social Security numbers and dates of birth, Oakes said. The agency hired IDExperts to review the issue and confirm the number of clients exposed in the breach and what information was compromised.

According to the release, nine DHS employees opened a spam email and clicked on a link which gave the hackers access to the employees’ email records. Those nine email boxes contained nearly two million emails. Those nine accounts were frozen on Jan. 8 as state experts worked to understand the issue, Oakes said.

The outside firm is working to identify people whose information was exposed. It will also tell those people how to protect themselves. Starting Friday, IDExperts will staff a call center and website where people who believe they are victims of the breach could access information.

Reporter Aubrey Wieber: aubrey@salemreporter.com or 503-375-1251. He is with the Oregon Capital Bureau, a collaboration of the Pamplin Media Group, EO Media Group, and Salem Reporter.