1 million Oregon Health Plan members impacted by data breach

Dianne Lugo, Salem Statesman Journal
Updated ·3 min read
More than a million Oregon Health Plan members are now being warned they are among those affected by June's global MOVEit Transfer hack.
More than a million Oregon Health Plan members are now being warned they are among those affected by June's global MOVEit Transfer hack.

More than a million Oregon Health Plan members are now being warned they are among those affected by a global MOVEit Transfer hack announced in June.

In June, the Cybersecurity and Infrastructure Security Agency announced Progress Software Corp had released a security advisory for its file-sharing tool MOVEit Transfer. The software had a vulnerability that could allow an attacker to "take over an affected system," PSC warned.

Organizations nationwide were affected, including the Oregon Department of Transportation. On June 15, ODOT warned that 3.5 million holders of Oregon IDs or driver’s licenses were impacted.

Wednesday, the Oregon Health Authority announced that private vendor PH TECH notified state officials that analysis conducted through July 25 determined OHP members were also affected by the data breach. PH TECH provides services to many Coordinated Care Organizations to help manage OHP member data, the release said.

Notification letters were sent on July 31 by PH TECH and will include an offer for free credit monitoring for impacted members, OHA said.

A patch for the MOVEit software was available on May 31 and the exploit has not been observed past May, a spokesperson for the company said in an email.

The data breach announced by PH TECH did not involve or compromise state systems, OHA said.

"This is, unfortunately, the world we're living in right now. We have foreign countries, international actors who are trying to get your personal data. As a state, we have increased our focus on cyber security, particularly across state government to make sure we have better protections in place as much as we can anticipate," Gov. Tina Kotek said during a press event Wednesday.

What data is impacted?

PH TECH said accessed data included personal information and some protected health information like enrollment, authorization and claims files. Information varies from person to person but might include name, date of birth, social security number, address, member ID number, plan ID number, email address, authorization information, diagnosis code, procedure codes and claim information.

What should people do?

“We’re urging OHP members to activate credit monitoring as a precaution,” Dave Baden, interim director at OHA, said in the release. “It’s disheartening that bad actors are looking to exploit people in our state and that their actions create a burden for others, who have more than enough to manage already. However, there are important steps that OHP members can take to further protect their data.”

OHA is also encouraging OHP members to:

  • Watch for additional information from PH in the mail and follow instructions to activate 12 months of free identity theft protection. OHP members will be contacted by regular first-class mail, not by phone or email, OHA said.

  • Request a free credit report. Individuals have the right to request one free copy of their credit report from each of the three major consumer reporting companies (Equifax, TransUnion and Experian) every year. OHP members may be able to request reports from one company every few months throughout the year. Credit reports and monitoring can help people identify signs of identity theft and stop thieves from using information for fraudulent purposes.

  • Contact PH TECH for assistance at 888-498-1602 or by going to response.idx.us/PHTECH for more information.

OHP members will also be able to receive ID theft recovery services via PH TECH at no cost, if needed, officials said.

This article originally appeared on Salem Statesman Journal: Oregon Health Plan data breach: 1 million members impacted