Oregon Cybersecurity Incidents: Notable Breaches & Ransomware Attacks

Oregon's economy spans a distinctive range of industries — from the semiconductor fabrication plants of the Silicon Forest to Nike's global headquarters in Beaverton to craft breweries and outdoor recreation companies throughout the Willamette Valley. This diversity means that cyber adversaries targeting Oregon are not focused on a single sector but rather exploit vulnerabilities across technology, healthcare, manufacturing, and government organizations. The state's relatively small population of 4.2 million belies the volume and severity of cyber incidents that have struck Oregon organizations over the past decade.

Studying these incidents is not merely historical. Each breach below reveals specific weaknesses — unpatched systems, phishing susceptibility, inadequate third-party oversight — that persist in many Oregon organizations today. Whether you run a manufacturing operation in the Portland metro or a healthcare practice in Bend, these cases offer concrete lessons about where Oregon businesses remain most exposed to cybersecurity threats.

Major Cyber Incidents in Oregon: A Timeline

2006 — Providence Health & Services Data Theft

Providence Health & Services, one of Oregon's largest healthcare systems headquartered in Portland, disclosed in 2006 that backup tapes, disks, and laptops containing unencrypted data on approximately 365,000 patients had been stolen from an employee's vehicle. The stolen media included patient names, Social Security numbers, clinical information, and health plan details. The incident was one of the largest healthcare data breaches in Oregon history at the time and resulted in a class-action lawsuit and a settlement with the Oregon Attorney General. Providence subsequently invested in enterprise-wide encryption and revised its data transport policies.

2009 — Oregon Health & Science University Laptop Theft

In 2009, OHSU reported that an unencrypted laptop stolen from a researcher's vehicle contained personal health information on approximately 1,000 patients. While smaller in scope than later OHSU incidents, the breach highlighted a recurring pattern: sensitive medical data stored on portable devices without encryption. OHSU would face this same vulnerability category repeatedly over the following years.

2013 — OHSU Cloud Storage Exposure

Oregon Health & Science University disclosed in 2013 that approximately 3,044 patients' protected health information had been stored on an internet-accessible cloud server without adequate security controls. Residents and faculty had uploaded clinical data to a shared Google Drive account, exposing names, dates of birth, medical record numbers, diagnosis codes, and treatment information. OHSU reported the breach to the U.S. Department of Health and Human Services and ultimately paid $2.7 million to settle potential HIPAA violations with the Office for Civil Rights — one of the largest HIPAA settlements involving an Oregon institution. The case became a national example of shadow IT risk in academic medical centers.

2019 — Oregon Department of Human Services Phishing Breach

In January 2019, the Oregon Department of Human Services (DHS) suffered a phishing attack that compromised nine employee email accounts. The breached accounts contained personal information — including names, Social Security numbers, dates of birth, case numbers, and other sensitive data — belonging to approximately 1.6 million individuals, including vulnerable populations such as children in foster care and recipients of disability services. DHS notified affected individuals and offered credit monitoring. The breach was particularly concerning because DHS serves some of Oregon's most vulnerable residents, and the scope of 1.6 million records made it one of the largest government data breaches in the Pacific Northwest.

2020 — City of Portland Business Email Compromise

In April 2020, the City of Portland lost approximately $1.4 million in a business email compromise (BEC) attack. Attackers compromised or spoofed email communications related to a real housing project and redirected a legitimate payment to a fraudulent bank account. The city discovered the fraud after the intended recipient reported nonpayment. Portland's Bureau of Revenue and Financial Services confirmed the loss and initiated recovery efforts, though BEC funds are notoriously difficult to recover once transferred. The incident demonstrated that even large, well-staffed municipal governments are vulnerable to social engineering attacks that bypass technical controls entirely.

2021 — PCC Structurals Ransomware Attack

PCC Structurals, a Portland-based precision casting manufacturer that is part of Berkshire Hathaway's Precision Castparts Corp., experienced a ransomware attack that disrupted manufacturing operations. PCC Structurals produces critical aerospace and industrial components, and the attack affected production scheduling and business systems. The incident highlighted the growing risk of ransomware targeting Oregon's manufacturing sector, where operational disruption can cascade through supply chains serving aerospace, defense, and industrial customers nationwide.

2023 — MOVEit Transfer Breach (Oregon Agencies Affected)

The mass exploitation of the MOVEit Transfer file-sharing platform by the Cl0p ransomware group in May and June 2023 affected multiple Oregon state agencies and organizations. The Oregon Department of Transportation (ODOT) confirmed that approximately 3.5 million records — essentially every Oregon resident with a driver's license or state ID — were potentially exposed through the vulnerability. The Oregon Health Authority and the Department of Administrative Services were also affected. The MOVEit breach was global in scope, but Oregon's exposure was among the most significant of any U.S. state, and it prompted legislative discussions about the security of third-party software used by state agencies.

Oregon Data Breach Notification Law

Oregon's breach notification requirements are codified in the Oregon Identity Theft Protection Act, specifically ORS 646A.604. The law requires any person or entity that owns, licenses, or maintains personal information about Oregon consumers to notify affected individuals if their data has been, or is reasonably believed to have been, acquired by an unauthorized person.

Under the current statute, organizations must notify affected individuals within 45 days of discovering the breach. If the breach affects more than 250 Oregon consumers, the organization must also notify the Oregon Attorney General. The law covers a broad definition of personal information including Social Security numbers, driver's license numbers, financial account numbers, passport numbers, biometric data, and health insurance information. For a complete guide to Oregon's compliance requirements, see our breakdown of Oregon cybersecurity and data privacy laws.

Which Oregon Industries Are Most Targeted?

Healthcare

Oregon's healthcare sector — anchored by OHSU, Providence, Legacy Health, and PeaceHealth — has been repeatedly targeted. The OHSU and Providence incidents demonstrate that healthcare organizations face both external attacks and internal data handling failures. Medical records command $50 to $250 per record on dark web markets, making Oregon's large hospital systems and their thousands of affiliated clinics persistent targets.

Technology and Semiconductor Manufacturing

The Silicon Forest — centered in Washington County west of Portland — is home to Intel's largest U.S. research and manufacturing campus, along with dozens of semiconductor equipment makers, software companies, and tech firms. Intellectual property theft and nation-state espionage targeting chip designs, manufacturing processes, and research data are significant concerns for this cluster. The CHIPS Act investment in Oregon semiconductor expansion has only increased the state's profile as a target for economic espionage.

State and Local Government

The Oregon DHS breach, the City of Portland BEC attack, and the MOVEit exposure of ODOT records collectively demonstrate that Oregon government agencies are frequent targets. Many smaller Oregon cities and counties operate with limited IT staff and aging infrastructure, making them vulnerable to ransomware and phishing attacks.

Manufacturing

Oregon's manufacturing sector extends beyond semiconductors to include precision castings (PCC Structurals), outdoor equipment, food processing, and wood products. These operations increasingly rely on connected industrial control systems and enterprise resource planning software, creating attack surfaces that blend IT and operational technology risks. Ransomware operators target manufacturers specifically because production downtime creates intense pressure to pay.

What Oregon Businesses Must Do After a Breach

If your Oregon organization experiences a data breach, the following steps are required or strongly recommended under state law:

• Contain the breach immediately — isolate affected systems, revoke compromised credentials, and preserve forensic evidence

• Investigate the scope — determine what data was accessed, how the attacker gained entry, and whether the breach is ongoing

• Notify affected individuals within 45 days — include a description of the incident, the type of data compromised, and contact information for the Oregon Attorney General and the Federal Trade Commission

• Notify the Oregon Attorney General if 250 or more Oregon consumers are affected, including the number affected, type of data, and the steps taken in response

• Notify credit reporting agencies if more than 1,000 individuals are affected at one time

• Document your response — maintain records of the breach, investigation findings, notifications sent, and remediation actions for potential regulatory review

How to Protect Your Oregon Business

The pattern across Oregon's breach history is consistent: phishing, unencrypted data, inadequate third-party oversight, and delayed detection account for the majority of incidents. Oregon businesses can address these specific weaknesses with practical measures:

• Deploy multi-factor authentication on all email, remote access, and privileged accounts — the Oregon DHS breach started with phishing that MFA could have prevented

• Encrypt all portable media and devices — both the Providence and OHSU incidents involved unencrypted data on stolen or mishandled devices

• Vet third-party software and vendors — the MOVEit breach affected Oregon agencies through a trusted file transfer tool that harbored a critical vulnerability

• Implement email authentication controls (DMARC, DKIM, SPF) — the City of Portland BEC attack exploited email trust without needing to breach technical systems

• Test incident response plans annually through tabletop exercises that simulate ransomware and data theft scenarios relevant to your industry

Many Oregon businesses work with managed IT services providers and managed security services firms to maintain continuous monitoring and rapid response capabilities that would be difficult to staff internally.

Frequently Asked Questions

How quickly must an Oregon business report a data breach?

Under ORS 646A.604, Oregon businesses must notify affected individuals within 45 days of discovering a breach involving their personal information. If the breach affects 250 or more Oregon consumers, the organization must also notify the Oregon Attorney General within that same 45-day window. This timeline is stricter than many states, though not as aggressive as Florida's 30-day requirement.

What was the largest data breach affecting Oregon residents?

The 2023 MOVEit Transfer breach exposed approximately 3.5 million records held by the Oregon Department of Transportation, potentially affecting nearly every Oregon resident with a driver's license or state ID. In terms of direct attacks on Oregon organizations, the 2019 Oregon DHS phishing breach exposed data on approximately 1.6 million individuals, making it the largest breach of an Oregon state agency by a direct attack.

Are Oregon manufacturers at risk for cyberattacks?

Yes. Oregon's manufacturing sector, including precision casting, semiconductor fabrication, wood products, and food processing, faces increasing ransomware and IP theft threats. The PCC Structurals ransomware incident demonstrated that manufacturing disruption in Oregon can affect national supply chains. Manufacturers with connected industrial control systems face additional OT security risks that differ from traditional IT threats.

Does Oregon require businesses to offer credit monitoring after a breach?

Oregon law does not explicitly mandate credit monitoring for breach victims, unlike some states such as Florida. However, offering credit monitoring is considered a best practice and may be required under federal regulations like HIPAA if health information is involved. Many Oregon organizations voluntarily provide 12 to 24 months of credit monitoring as part of their breach response to mitigate reputational damage and potential litigation.

What role does the Oregon Attorney General play in cybersecurity enforcement?

The Oregon Attorney General's office enforces the state's data breach notification law (ORS 646A.604) and the Oregon Consumer Privacy Act. The AG receives breach notifications, can investigate potential violations, and has authority to bring enforcement actions against organizations that fail to comply with notification requirements or that maintain unreasonable data security practices. The AG's Consumer Protection division has historically pursued settlements against organizations involved in significant breaches, as seen in the Providence Health case.