Nine DHS employees fell for a phishing email that gave the attacker access to the mailboxes of the Oregon Department of Human Services. The breach occurred on January 8, when nine DHS employees were exposed to an unsanctioned party. In total, information from about 645,000 individuals was exposed. The department cannot say if any of the data was downloaded from the email system and used inappropriately. All impacted individuals benefit from identity theft monitoring and recovery services free of charge through the MyIDCare service.
Source: https://www.bleepingcomputer.com/news/security/phishing-attack-exposes-data-of-645-000-oregon-dhs-clients/