This story originally appeared in the Oregon Capital Chronicle and is republished here under a CC BY-NC-ND 4.0 license. Read more stories at oregoncapitalchronicle.com.
Hackers have gained access to the personal information of 1.7 million current and former Medicaid members in Oregon.
The breach dates to May 30. Hackers exploited a vulnerability in a file transfer program, MOVEit, to obtain the personal and medical information of members of the Oregon Health Plan, the state’s Medicaid system. The breach happened through the state’s coordinated care organizations, the Medicaid insurers that contract with PH TECH, which announced the breach Wednesday.
The Oregon Health Authority, which oversees coordinated care organizations, also issued an alert about the breach.
The breach of MOVEit is the same that affected Oregon’s Department of Motor Vehicles, which announced mid-June that the personal information of 3.5 million Oregonians with drivers licenses and identification cards were affected. The DMV waited about two weeks to alert the public.
Watch for additional information from PH TECH in the mail and follow instructions to activate 12 months of free identity theft protection. OHP members will be contacted by regular first-class mail, not by phone or email.
Contact PH TECH for assistance at 888-498-1602 or go to https://response.idx.us/PHTECH for more information.
PT TECH knew that hackers had obtained personal information of those who used its services in mid-June. But it wasn’t until this past Monday that the company sent letters to those affected – about six weeks later. Those affected will be offered one year of free credit monitoring, and the mailed notices will be translated into the appropriate language.
Company officials are not going to call or email those affected, even though many live in unstable situations, moving a lot and even living on the streets.
It said in the release that it alerted its clients – coordinated care organizations – about the breach the same day it was informed. But the insurers did not alert its clients – those who were affected.
In a statement to the Capital Chronicle, PH TECH said it takes data breaches seriously.
“Security breaches are complex and it can take time to fully understand the impact and notify those affected. In this case, several concurrent investigations were underway to assess what happened and what needed to be done to address the security vulnerability, as well as prevent it from happening again,” it said in a statement to the Capital Chronicle. “Because this security incident compromised both personal and protected health information it required additional steps and precautions. From the time we became aware of the issue, PH TECH worked immediately and collaboratively with cyber security experts, as well as all impacted client partners, to respond with certainty and accuracy. Notifications to all those affected occurred well within the required timelines.”
Becca Thomsen, a spokeswoman for CareOregon, one of the largest Medicaid insurers in Oregon, said in an email that the organizations waited because the breach affected a contractor and they wanted to have a coordinated public information strategy.
“To aid in public understanding, impacted organizations contributed to a single press release and member notification strategy,” Thomsen said. “Notifications distributed this week meet reporting standards of 45-days post-notification.
Files downloaded by the hackers included people’s names, birth dates, Social Security numbers, addresses and email addresses – the same data obtained through the DMV breach. But this time hackers reaped a wealth of private medical information protected by federal privacy laws. Data obtained includes enrollment, authorization and claim information. Hackers also obtained diagnosis codes that doctors and insurers use to refer to specific diseases or conditions, procedure codes and authorization information.
The Oregon Health Authority said PH TECH conducted an “extensive forensic analysis through July 25. This analysis identified the individuals who were affected so OHP members could be notified.
A recent email from a spokeswoman for the DMV said that agency still had no idea who had been affected. The agency opted to issue a general alert to everyone, regardless of whether they were affected.
Besides the free credit monitoring, everyone is entitled by law to a free report from each of the three credit agencies, Equifax, Experian and TransUnion. To request a free report, go to www.annualcreditreport.com or call 877-322-8228.
The health authority urged everyone to monitor their credit.
“It’s disheartening that bad actors are looking to exploit people in our state and that their actions create a burden for others, who have more than enough to manage already. However, there are important steps that OHP members can take to further protect their data,” Dave Baden, interim health director, said in a statement.
Here’s how to contact the credit monitoring companies:
- Equifax: equifax.com/personal/credit-report-services or 800-685-1111
- Experian: experian.com/help or 888-397-3742
- TransUnion: transunion.com/credit-help or 1-888-909-8872
Residents should check for transactions or accounts they don’t recognize, and if they see strange transactions, call the appropriate banks or credit card company to report them. The Federal Trade Commission also has information on identity theft at www.consumer.gov/idtheft/.
Security officials advise people to freeze their credit if they’re worried about identity theft. That can be done through each of the three credit monitoring companies. Credit can be frozen and lifted as necessary.