SALEM, Ore. — As many as 645,000 clients with the Oregon Department of Human Services could have their personal information compromised, according to DHS officials. 

Letters are going out to the people who could be impacted. The data breach occurred in January 2019.

The department is providing 12 months of identity theft monitoring and recovery services including a $1 million insurance reimbursement policy to people whose information was accessible. Instructions on how to enroll in this service is included in each notification letter.

An internal investigation found this all started when DHS was targeted by an email “phishing” attempt. A phishing email was sent to department employees on January 8. Nine employees opened the phishing email and clicked on an internet link that gave the sender access to their email accounts. Beginning January 9, these nine employees started reporting problems. All affected accounts were located and access to the nine affected accounts was stopped by January 28. 

The investigation confirmed that no other email accounts had been compromised and that no malware had been installed on department desktop computers or laptops.

Initial review of the incident indicated up to 2 million emails might be involved.

Once it was confirmed that the compromised data included personal information, the department created an incident call center and website with information about the breach. DHS notified the public on March 21.

The exposed client information includes first and last names, addresses, dates of birth, Social Security numbers, case numbers and personal health information.

Department clients who have questions about the breach or who need help enrolling in MyIDCare can call (800) 792-1750 toll-free or visit the web site here.