The Multnomah County Health Department has begun notifying more than 2,000 people of a security incident that may have accessed their personal information.
The breach occurred the weekend of Feb.17-18, when a person illegally entered County offices at the Gladys McCoy Health Department headquarters at 619 N.W. 6th Ave. in Portland. Because of the Presidents Day holiday, the break-in was not discovered until Tuesday, Feb. 21.
The County launched a security investigation that same day. The County also immediately notified the Portland Police Bureau of the unauthorized entry. Several items were taken, including a County laptop, personal items belonging to employees, and new client cell phones awaiting distribution.
On Wednesday, March 15, the Portland Police Bureau arrested the suspect. The County is cooperating fully with the Portland Police Bureau and the District Attorney’s Office on the investigation.
The incident revealed issues with the security personnel hired to protect the building. These staffing issues have been resolved, and the County’s workplace security team has implemented additional training on how to sweep the building and how and when to notify authorities after potential incidents.
According to investigators, during the break-in, the individual accessed rooms, offices, and areas in the McCoy Building that contained paper records that included client information. This information may have included identifying information, including names, addresses, phone numbers, email addresses and Social Security numbers of patients who receive health care at Multnomah County.
Employee financial and identifying information may have also been accessed.
The County does not believe any records from the Multnomah County STD Clinic, Tuberculosis Clinic or the Student Health Centers were affected in this incident.
No other clients of other Multnomah County departments or services are involved.
It is unknown at this point in the investigation if the suspect viewed or removed any files containing client and personal information. Although officials are unsure of the degree to which information was accessed, out of an abundance of caution the Health Department is notifying anyone potentially affected by this break-in.
All patients whose records have been potentially affected should receive notification via a letter.
Multnomah County has set up a hotline to answer questions for the affected patients and employees.
The County has also arranged for free credit monitoring from IDX, a company that specializes in responding to data breaches. The firm will provide 12 months of credit and CyberScan monitoring, a $1 million insurance reimbursement policy and fully managed ID theft recovery services. Please call 1-800-939-4170 or go to https://app.idx.us/account-creation/protect for assistance.
Anyone who is a Multnomah County Health Department client and has recently moved or had an unstable address is strongly urged to please call the number above or go online for assistance.
Multnomah County and the Health Department are committed to keeping personal information private, and the County takes many steps to protect it. The County has policies and procedures for preventing access to County work areas.
The County has completed a thorough investigation of this breach, and as a result, is updating and improving its procedures and security contracts to ensure an event like this does not happen again. The County is also reviewing countywide and department-level policies to increase security procedures at buildings in response to this incident. The County is also working to mitigate any potential harm to clients by providing information and credit monitoring.
The County sincerely regrets any inconvenience or worry this incident presents to any client or employee, or their families.
Source: Multnomah County