Contractor Says Several Health Plans Affected by MOVEit HackOregon Health Authority Among the Latest Victims - 1.7 Million Members Affected
A contractor that provides claims processing and other services says several of its community health plan customers - including 1.7 million members of the Oregon Health Plan - are victims of the zero-day MOVEit vulnerability, which has affected more than 500 organizations worldwide.
Salem, Oregon-based Performance Health Technology, which handles administrative services for health plans, said that among its customers affected by attacks on Progress Software's MOVEit product is the state-run Oregon Health Authority and a number of coordinated care organizations that are part of the authority's Oregon Health Plan.
"Members impacted include, but may not be limited to, individuals enrolled in AllCare CCO, Health Share of Oregon, Umpqua Health and Yamhill Community Care," PH Tech said in a statement provided to Information Security Media Group.
Also affected are members of Capitol Dental Care, Dental 3 DBA All Smiles Community Oral Health and Managed Dental Care of Oregon, which may also include members of Columbia Pacific CCO, InterCommunity Health Network CCO, Jackson Care Connect, PacificSource Community Solutions and Trillium Community Health Plan, PH Tech said.
PH Tech did not immediately respond to ISMG's inquiry about the total number of customers affected by its MOVEit hacking incident. Besides the 1.7 million Oregon Health Plan members in Oregon affected by the incident, approximately 3,800 individuals in Washington state and 44,000 individuals in Northern California are also affected, PH Tech told ISMG.
The Oregon Health Authority released a statement Wednesday urging its affected Oregon Health Plan members to activate 12 month of complimentary credit and identity monitoring services being offered by PH Tech.
PH Tech said that on June 2, it was informed that Progress MOVEit "had a problem" that could allow attackers to access its system and download files, PH Tech said.
PH Tech immediately moved its system offline and began an investigation to assess if its systems had been affected, the contractor said. "PH Tech hired a cybersecurity firm to help with the investigation and also informed the FBI," the company said.
Personal information and protected health information accessed in the hacking incident pertained to enrollment, authorization, and claims files, PH Tech said.
Compromised information varies among individuals, but includes name, birthdate, Social Security number, address, member ID number, plan ID number, email address, authorization information, diagnosis code, procedure code, and claim information, PH Tech said.
Oregon Health Authority in its statement about the incident said PH Tech had notified state officials that the contractor conducted extensive forensic analysis through July 25 and the vendor began to notify affected individuals on July 31.
"It's disheartening that bad actors are looking to exploit people in our state and that their actions create a burden for others who have more than enough to manage already," said Dave Baden, interim director at Oregon Health Authority, in the statement advising affected individuals to sign up for the free credit monitoring being offered.
The incident affecting the Oregon Health Authority and PH Tech's other customers is part of a tidal wave of major breaches resulting from the Clop crime group's zero-day attacks on users of the widely used MOVEit file transfer product across many industries worldwide.
As of Tuesday, security vendor Emsisoft counted a total of 558 breached organizations, affecting about 38.8 million individuals globally.
Recent victims of the attacks that reported compromises to health data include Allegheny County, Pennsylvania; Harris Health System in Texas; and government contractor Maximus Inc., whose hack affected up to 11 million individuals, including 612,000 current Medicare beneficiaries, according to the Centers of Medicare and Medicaid Services last week (see: Known MOVEit Attack Victim Count Reaches 545 Organizations).
The flood of breaches involving MOVEit - as well as similar third-party applications, such as Fortra's GoAnywhere software - is the latest reminder that healthcare sector entities must be prepared and proactive in addressing potential risks and compromises involving protected health information handled by their business associates and by those companies' subcontractors, experts said.
"We're all a little bit at the mercy of some of these huge, huge software companies with breaches involving zero-day vulnerabilities," Glen Braden, CIO/CFO at Attest Health Care Advisors, a regulatory compliance firm, told ISMG.
As soon as word gets out about these types of incidents involving major software providers, it's vital for organizations to quickly and proactively assess whether they or any of their third parties could potentially be affected, he said.
"I see my clients reach out and ask: 'MOVEit. It has a problem. Do you use it? Do your subcontractors use it?' And then within the first week that vulnerabilities are out, they're assessing whether that's a problem."
But even before an incident like that happens, Braden said, healthcare sector organizations and vendors must carefully and continuously vet their suppliers and subcontractors. That includes assessing and certifying vendors on a regular basis by independent third parties, he said.