A company that provides services to the health plan notified customers of the breach. Plan members are urged to get credit monitoring.
In a year that has already seen a host of large breaches of private health data, the Oregon Health Authority is urging customers to take action following another significant incident.
The breach affects more than 1.7 million members of the Oregon Health Plan, Oregon officials said this week.
Performance Health Technology, known as PH Tech, said this week that the breach involves the personal information of Oregon Health Plan members. PH Tech provides customer service and payment services for a host of insurers, including the Oregon Health Plan.
“We’re urging OHP members to activate credit monitoring as a precaution,” Dave Baden, interim director of the Oregon Health Authority, said in a statement. “It’s disheartening that bad actors are looking to exploit people in our state and that their actions create a burden for others, who have more than enough to manage already.”
Baden has urged PH Tech to take all steps possible to insure all affected members are notified, including sending notices in multiple languages. State officials will be seeking updates on the notification efforts, he said.
PH Tech says the information potentially exposed varies from person to person, but it could include names, dates of birth, Social Security numbers, email addresses, claims information, along with plan ID numbers and diagnosis codes.
Customers can contact PH TECH for assistance at 888-498-1602. Oregon officials said plan members should be able to get free theft recovery services from PH Tech if necessary.
PH Tech says the breach involves a file-sharing platform, Progress MOVEit, and the company says it learned in June that a “suspicious entity” gained access to private information. PH Tech said it needed time to determine if the company was affected by the software problem, and said it notified health plans on June 16.
MOVEit notes that it disclosed the vulnerability on May 31, and deployed a patch that day.
Other sizeable breaches of health data have been linked to problems with file transfer software.
Scores of breaches
Tens of millions of Americans have already been affected by health data breaches in 2023. HCA Healthcare said in July that it suffered a data breach affecting as many as 11 million people. HCA said it appears to be “a theft from an external storage location exclusively used to automate the formatting of email messages.”
Hospitals have seen an increase in ransomware attacks in recent months, says John Riggi, national advisor for cybersecurity and risk for the American Hospital Association.
Through late June, more than 220 cyberattacks have targeted hospitals and health systems, and more than 36 million people have been affected, Riggi says. By comparison, 44 million were affected by hacking incidents in all of 2022.
Healthcare breaches are increasingly costly to organizations. The average cost of a health data breach has risen to nearly $11 million, according to a report from IBM Security.
Limor Kessem of IBM Security talked with Chief Healthcare Executive® about the costs of health data breaches in this video.