Oregon’s Department of Human Services acknowledged Thursday a phishing incident from early January that may have exposed sensitive client information.

The agency said nine employees clicked on a link in an email that looked like an official government message on Jan. 8, 2019. The breach may have allowed hackers to access about 2 million emails.

DHS determined on January 28 that the breach had occurred, but the agency hasn’t yet determined if the information was actually accessed by the hackers, according to spokesman Robert Oakes.

“We took immediate action when the potential data breach was identified,” said Oakes. “It’s an extremely sophisticated email attack on our system.”

DHS does not yet know how many of its 1.6 million clients might have had information jeopardized in the attack. Oakes said the agency only recently determined sensitive information was involved.

“Because it’s 2 million total emails it took time to go through each individual one and identify whether there was a potential incident that required notifying the public,” Oakes said. 

The messages contained protected health information and may include names, dates of birth, social security numbers, addresses, case numbers and other information.

An outside agency has been hired to determine who was affected. DHS is offering credit monitoring services to people whose information was hacked.