Oregon Health Plan Members to Monitor Their Credit, After Moveit Related Data Breach

Members of Oregon Health Plan were told to monitor their credit after hackers accessed the personal information of an estimated 1.7 million members.

Performance Health Technology (PH Tech), a company that provides data management services to U.S. healthcare insurers, announced the breach August 2nd. Hackers exploited a known security issue in file transfer software called MOVEit.

PH Tech confirmed in a notice that it was impacted by the MOVEit mass-hacks. “We found out that an unauthorized person used the Progress MOVEit’s software and that PH Tech data files were downloaded,” the organization said in a notice on its website.

PH Tech said that hackers accessed patients’ personal and protected health information, including names, dates of birth, Social Security numbers, email and postal addresses, member and plan ID numbers. The hackers also accessed sensitive health information, including insurance authorizations, diagnosis and procedure codes, and claims information.

PH Tech hasn’t said how many individuals were affected by the breach of its systems. However, a separate notice from the Oregon Health Authority states that an estimated 1.7 million of its members were affected.

Oregon data get hit for a second time in a few months

As this latest breach demonstrates, the fallout from the MOVEit mass-hacks continues to grow.

The Oregon Health Authority is the second Oregon state agency to experience a MOVEit-related data breach. A little over two months ago, the Oregon Department of Transportation confirmed it had been hit by the mass-hacks, leading to the compromise of 3.5 million driver’s license and identification cards.

On Thursday, June 1, 2023, the State of Oregon became aware of a vulnerability in a third-party software tool. The software tool is called MOVEit, and the vulnerability was disclosed by the company that owns the software, Progress. MOVEit is a tool used to transfer data files. Please know that Oregon DMV will never reach out to a customer and ask them to verify anything by clicking a link or asking for information.

Upon learning of the problem, the Oregon Department of Transportation (ODOT) quickly activated its emergency response procedures. ODOT worked with state cybersecurity professionals to immediately secure affected systems. ODOT also took immediate steps to investigate what, if any, of its information was affected by the vulnerability.

Unfortunately, on Monday, June 12, it was confirmed that the actors behind the hack of MOVEit Transfer accessed ODOT’s data. This data contains personal information for approximately 3.5 million Oregonians. Even though the ODOT data was encrypted, it is widely understood that the hackers were able to read the data because of the vulnerability in MOVEit.

On Thursday, June 15th, ODOT notified the public about the MOVEit Transfer breach.

OHP members, urged to ensure data protection for the future

For this second hit, verification took a while, but once PH Tech confirmed the breach was real, the company began mailing notification letters on July 31 to people whose data was exposed. The letters include an offer of free credit monitoring.

“We’re urging OHP members to activate credit monitoring as a precaution,” said Dave Baden, interim director at OHA. “It’s disheartening that bad actors are looking to exploit people in our state and that their actions create a burden for others, who have more than enough to manage already. However, there are important steps that OHP members can take to further protect their data.”

Baden called on PH TECH to ensure all affected OHP members would be made aware of the incident, communication would occur in multiple languages, talking points would be created, and state officials would be briefed on the progress of these actions.

OHP members were encouraged to:

• Watch for additional information from PH in the mail and follow instructions to activate 12 months of free identity theft protection. OHP members will be contacted by regular first-class mail, not by phone or email.
• Request a free credit report. OHP members have the right to request one free copy of their credit report from each of the three major consumer reporting companies (Equifax, TransUnion and Experian) every year. OHP members may be able to request reports from one company every few months throughout the year. Credit reports and monitoring can help people identify signs of identity theft and stop thieves from using information for fraudulent purposes.
• Contact PH TECH for assistance at 888-498-1602 or by going to https://response.idx.us/PHTECH for more information.

MOVEit related breaches have already affected tens of millions of people 

These are not the only breaches related to MOVEit, tens of millions being victims already. While states are making efforts to protect health related data and telehealth services are expanding to all 50 states, making data protection all the more important, these breaches become more significant.

July 26th, Maximus, a U.S. government services contractor, confirmed that hackers accessed the protected health information of as many as 11 million individuals in a MOVEit-related breach. More than 600,000 of those affected are Medicare beneficiaries, a statement by the Centres for Medicare and Medicaid Services informed.

Serco, a contractor for the U.S. government, said in a breach notification filed recently that hackers accessed the personal information of more than 10,000 employees from its benefits administrator, and Pennsylvania’s Allegheny County confirmed another breach affecting almost a million residents.

According to the latest figures from cybersecurity company Emsisoft,  there were, August 12th,  580 known MOVEit victims, impacting the personal data of more than 40 million individuals, the vast majority in the USA, but also abroad.