1. Home
  2. States
  3. Oregon

Oregon

Table of Contents

Data breaches occur when unauthorized parties obtain sensitive or personal information for financial gain. Cybercriminals obtain this data in various ways, such as malware, phishing, stolen identities, hacking, or ransomware. This has been a prevalent issue in Oregon, considering the state Attorney General Rosenblum declared there had been an increase reported to his office in 2021.

Oregon is highly ranked in the country for data breach trends, and it ranks 25th in the number of victims per state nationwide. The losses incurred in 2023 were $136,052,036, illustrating the problem has progressed over the last few years. Common targets within the state include government institutions, healthcare, and educational facilities, as defined by the most significant breaches experienced.

Identity Theft Statistics

Identity Theft
Reports
31TH
State Rank (Reports per 100K Population)
4,005
Identity Theft Reports
Fraud & Other
Reports
7TH
State Rank (Reports per 100K Population)
28,711
Total Fraud & Other Reports
Fraud
Losses
$15.5M
Total Fraud Losses
$250
Median Fraud Losses

Top Ten Report Categories

Imposter Scams
27%
Identity Theft
12%
Telephone and Mobile Services
7%
Prizes, Sweepstakes and Lotteries
6%
Online Shopping and Negative Reviews
6%
Banks and Lenders
5%
Internet Services
4%
Debt Collection
4%
Auto Related
3%
Health Care
2%

Top Identity Theft Types

31%
2,322
Credit Card Fraud
18%
1,308
Other Identity Theft
17%
1,291
Bank Fraud
11%
834
Phone or Utilities Fraud
10%
757
Employment or Tax-Related Fraud
8%
578
Loan or Lease Fraud
4%
332
Government Documents or Benefits Fraud

Oregon's Recent Biggest Data Breaches

2023
June

Oregon DMV Hack

In June 2023, the Oregon Department of Transportation determined that their systems were exposed due to the hack on the transfer tool MOVEit. On discovery, they secured their network and assessed the areas where they were the most vulnerable or exposed due to the attack. The Department of Transportation is still working with state cybersecurity services and has engaged the assistance of third-party specialists to assist in the investigation. For residents, anyone with an active Oregon Driver's license, permit, or identity should assume that their information was exposed because of the breach. Oregon residents were advised to take immediate action by monitoring their accounts and obtaining credit reports.

2022
August

Careoregon Paper/Films Breach

In August 2022, CareOregon determined an incident entailing the disclosure of its members' personal information. Marketing letters were sent to the wrong addresses of its members, and they had Protected Health Information. This incident involved 8,022 people. Some of the information exposed included member names, identification numbers, and dates of birth. The affected individuals were subsequently notified concerning the data breach. CareOregon indicated that it was a low-risk incident for identity theft or fraudulent activities.

2022
July

Legacy Health

In July 2022, Legacy Health found that an employee in the office had saved files to external devices without authorization. Upon learning about the incident, the company suspended the personnel's access to the systems and began an investigation. Legacy Health also contracted a third-party forensics firm to help with the investigation. It was found that the employee transferred the company's documents to personal storage via email or external drives. Some information exposed included patient names, birth dates, medical record details, service dates, provider names, health insurance information, and treatment data. In November 2022, Legacy Health began mailing letters to all affected and offered complimentary credit monitoring. Eight thousand sixty-five patients were affected due to the breach.

2022
January

Avamere Network Server Breach

Premere indicated that a network utilized by their business associate, Avamere Health, was breached in January 2022. An unauthorized party removed files and folders from Premere's network as well. Premere began a forensic investigation to assess what happened in May of the same year. It determined that specific information was compromised, including names, birth dates, Social Security numbers, addresses, driver's license details, medical information, and lab results. The company also started to notify the 183,000 affected individuals from the incident. It also advised that all affected people regularly check their credit or financial accounts.

2019
May

Oregon Medicaid System Breach

In May 2019, the Oregon Health Authority and the Enterprise Security Office Incident Response Team determined a breach had happened. This resulted from a phishing email sent to an OHA state hospital employee, who opened it and exposed credentials to the unauthorized party. The email revealed protected health information belonging to hospital patients. Information included names, birth dates, medical records, treatment care plans, and other data used for treatment. The Oregon Health Authority reviewed the data breach event and provided clarity concerning all affected individuals. Though there was no indication that the protected health information was used for criminal purposes, the OHA notified all affected individuals.

What Should You Do if You Are in a Breach?

Unfortunately, data breaches are pretty common now, considering our online connections and dependence on digital service delivery. Criminals work in the shadows to steal your personal information, so sometimes, it's only when you notice certain signs that ongoing fraud becomes apparent. These danger signs apply to both individuals and businesses.

Unfamiliar
Credit Card Charges

If you find unauthorized transactions on your credit card, there is a significant possibility your phone number, email address, or card number has been compromised.

Calls from
Debt Collectors

Phone calls or letters from collection agencies seeking debt payment for a loan you do not remember taking are also signs of identity theft.

New Credit Cards
or Loans in Your Name

A new line of credit in your name or a loan taken is a warning sign you are a victim of identity theft.

Surprise Credit
Score Drops

Sudden credit drops with no obvious cause are a sign of suspicious activities.

Unusual Activity on Your
Social Security Account

The federal government also considers social security numbers personal identifiers, so check your social security statement regularly to ensure no one has access to benefits without consent.

Inability to
Sign-in to Accounts

If you are locked out of the account, it is usually because someone has hacked into it and changed the password. You should immediately try all possible recovery options and contact customer support if all fails.

Step-by-Step Process for Responding to a Data Breach

01

Contact Local Law Enforcement

As an individual or a business, report the incident to the police and file a police report.

02

Assess and Secure Compromised Areas

Identify which aspects of your information have been affected, such as emails, passwords, credit card numbers, social security numbers, full names, and phone numbers.

03

Contain the Breach

Isolate the affected system to prevent further damage.

04

Create New, Strong Passwords for All Accounts

This may involve changing usernames and passwords for compromised platforms, using strong passwords with a mix of upper and lower-case letters, digits, and special characters.

05

Notify Affected Institutions

Inform your bank, credit card companies, and other affected institutions. Request they close or freeze any accounts that may be implicated in the breach to reduce financial risk.

06

Update Security on Digital Accounts

Change passwords for all accounts affected by the breach. Make sure each password is totally unique, and you use two-factor verification as an additional layer of security.

07

Check for Malware

Examine your computers and mobile devices for installed malware. Install robust antivirus software to detect and remove any viruses or malicious software.

08

Freeze Your Credit

In cases of identity theft, contact all credit bureaus to freeze your credit.

09

Monitor Your Mail and Credit Reports

Keep an eye out for any unauthorized changes in your mail.

10

Engage Legal Assistance When Applicable

If you are a business, consider hiring a law firm experienced in handling data breaches.

Responsibilities of Companies that Have Been Breached

State regulations mandate that a company report a data breach to all affected within a short period. Reporting should occur within 45 days of finding out or receiving a breach notification. The breach notification must normally be sent in writing, but the company can issue an email-mailed notice if its customers have agreed to electronic notices.

A data breach affecting more than 250 people in the state of Oregon must be reported to the attorney general. They must notify consumer reporting agencies if that number is more than 1,000. A data breach notice sent out to residents has to include a description of the breach, the date, the type of information accessed, and contact details for the businesses and consumer reporting agencies. Forms sent to the attorney general include the incident dates, the number of those affected, descriptions of the data incident, and content of the notice sent to affected personnel.

There are cases when a substitute notice would be acceptable for Oregon businesses. Substitute notices are approved when the costs of sending traditional notices are more than $250,000, or over 350,000 people are affected by the incident. Similarly, a substitute notice can be issued if the business does not have enough contact details for those involved. This can be a conspicuous posting of the data breach event on the website, an email to those affected, and notifying Oregon media outlets.

Laws

  • Oregon's Consumer Identity Theft Protection Actshows when and the manner businesses are to respond to a security breach. The breaches must be reported if there is a belief that residents' personal information is compromised.
  • Oregon Senate Bill 583 details the law concerning the classification of personal information, security breach definition, attorney general notification, timing, and the notices required.
  • Oregon Consumer Privacy Act maintains safeguards to protect the confidentiality and integrity of personal data. It also provides a means for consumers to revoke consent, which is as easy as it was provided.

Resources

Table of Contents