1.7 Million Oregon Health Plan Members Affected by MOVEit Hack
The protected health information of 1.75 million Oregon Medicaid patients has been stolen by the Clop threat group, which exploited a zero-day vulnerability in the MOVEit Transfer file transfer solution on or around May 30, 2023. The data breach occurred through a claims processing contractor used by the Oregon Health Plan – Performance Health Technology (PH Tech) – which was informed about the vulnerability and data breach on June 2 by Progress Software.
According to PH Tech, the compromised information included names, dates of birth, Social Security numbers, mailing addresses, and email addresses, along with health information such as diagnoses, procedures, claim information, and plan ID numbers. Affected individuals are being notified by PH Tech and have been offered complimentary credit monitoring services. PH Tech said it immediately disabled the MOVEit solution when it learned about the compromise. The vulnerability was patched, and it rebuilt how the solution can be accessed to ensure that no one else is able to access files through the software. PH Tech said several of its community health plan customers were affected, including the Oregon Health Plan and AllCare CCO, Health Share of Oregon, Umpqua Health, and Yamhill Community Care. In addition to the 1.7 million Oregon Health plan customers, the data of approximately 47,800 other individuals was stolen in the attack.
The Clop threat group exploited a zero-day vulnerability in Progress Software’s MOVEit Transfer solution, stole data from MOVEit servers, then issued ransom demands and threatened to leak the stolen data if payment was not made. The attacked companies were then added to the group’s dark net data leaks site, then on the group’s clearnet site if they refused to pay the ransom. According to KobBriefing Research, which has been tracking the data leaks, at least 582 organizations were attacked and the data of between 34.7 and 39.7 million individuals was stolen.
“This is yet another example of the shared responsibility that exists in engaging with third parties. On the one hand, companies should not assume their vendors are secure, and conduct audits often and unannounced. On the other hand, vendors should not wait for an audit and take every reasonable measure to protect their client’s data, especially when it is as sensitive as medical records,” said Dror Liwer, co-founder of Coro, in a statement provided to The HIPAA Journal.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The Healthcare Victim Count Continues to Grow
The Health Plan of West Virginia, Inc. has recently confirmed that 1,292 members had data stolen. United Bank provides financial services to the health plan and recently confirmed that electronic records of recent premium payments and premium payment coupons were stolen. The stolen records related to a two-week period in May 2023, and included names, addresses, phone numbers, health plan identification numbers, group numbers, and images of premium payments.
Employees, students, and patients of Johns Hopkins Health System, Johns Hopkins All Children’s Hospital, and Johns Hopkins Howard County General Hospital had data stolen from MOVEit servers after the vulnerability was exploited, although personal health records do not appear to have been obtained. Johns Hopkins Health System has reported the breach to the Office for Civil Rights as affecting 2,584 patients, Howard County General Hospital has filed a breach report indicating 2,975 patients were affected, and Johns Hopkins Medicine has recently confirmed that 310,405 individuals were affected.
The academic health system, UofLHealth, was also attacked and is still investigating the incident to determine the types of information involved and the number of individuals affected. The MOVEit tool was used by a small number of UofLHealth medical practices for transferring files to third-party vendors. Other known victims include Allegheny County in Pennsylvania (689,686 individuals), Sutter Senior Care (519 individuals), Harris Health System (224,703 individuals), UT Southwestern Medical Center (98,437 individuals), and CMS contractor Maximus (612,000 individuals).
“The MOVEit vulnerability has demonstrated how much a single vendor can impact organizations across so many industries. The issues around the exploitation of the MOVEit vulnerability underscores that, even when using somewhat secure methods, data can be stolen and other controls, including monitoring of access to potentially sensitive information, should also be included in an organization’s security plan,” said Erich Kron, security awareness advocate at KnowBe4, told the HIPAA Journal. “While many organizations that have used MOVEit have patched, it is critical that organizations that continue to use the service ensure that all of their servers are patched and access logs should be checked in an effort to find attackers that may have previously exploited the vulnerability.”