The Oregon Department of Human Services (DHS) announced late last week that nine of its staff members had fallen victim to a phishing campaign and that their email boxes were compromised on January 8, 2019. The intrusion was discovered on January 28, 2019. When the intrusion was discovered, the staff members’ changed their passwords to stop the access and an investigation commenced.

Following the investigation, it was learned that over two million emails were involved, and that the personal and protected health information of over 350,000 individuals had been compromised.

The information contained in the emails included DHS clients’ names, addresses, Social Security numbers, DHS case numbers “and other information used to administer DHS programs.”

DHS is offering identity theft resolution services and free credit monitoring to affected individuals.

DHS confirmed that it will be filing a data breach report with the Department of Health and Human Services’ Office for Civil Rights.