State officials are urging members of the Oregon Health Plan to monitor their credit accounts as personal data on nearly 1.7 members was exposed as part of a massive data breach into a contractor.
In late July, the Centers for Medicare & Medicaid Services issued a similar warning after vulnerabilities in the file transfer program MOVEit were identified in late May. The breach was announced by PH TECH, a vendor that coordinates member data services for a slew of managed care organizations.
The Oregon Health Authority said in an announcement that PH Tech mailed letters to the affected members on July 31 after conducting an "extensive" investigation through July 25.
“We’re urging OHP members to activate credit monitoring as a precaution,” said Dave Baden, interim director at OHA, in the release. “It’s disheartening that bad actors are looking to exploit people in our state and that their actions create a burden for others, who have more than enough to manage already. However, there are important steps that OHP members can take to further protect their data.”
PH TECH said in a notice posted to its website that it was alerted to the vulnerability with MOVEit, which allowed hackers to access its system and download files, on June 2. The company "immediately moved our system offline" and began to dig into whether its files were accessed.
The information within PH TECH's system that was accessed "varies from person to person and might include name, date of birth, social security number (SSN), address, member ID number, plan ID number, email address, authorization information, diagnosis code, procedure code, and claim information," the company said.
In the announcement, Baden said that the state had called on PH TECH to ensure that outreach to affected members was available in multiple languages and that officials would be briefed regularly on progress.
Members who are notified that their data was exposed will be offered a year of free identity theft protection and are urged to seek out free credit monitoring from the major consumer reporting companies. PH TECH will also make ID theft recovery services available at no cost to those who need it.