老夫子传媒

漏 2024 | 老夫子传媒
Southern Oregon University
1250 Siskiyou Blvd.
Ashland, OR 97520
541.552.6301 | 800.782.6191
Listen | Discover | Engage a service of Southern Oregon University
Play Live Radio
Next Up:
0:00
0:00
0:00 0:00
Available On Air Stations

New data breach affects 1.7 million Oregonians

Almonroth
/
Wikimedia Commons

The hack affected current and past members of the Oregon Health Plan, the state鈥檚 Medicaid system.

Hackers have gained access to the personal information of 1.7 million current and former Medicaid members in Oregon.

The breach dates to May 30. Hackers exploited a vulnerability in a file transfer program, MOVEit, to obtain the personal and medical information of members of the Oregon Health Plan, the state鈥檚 Medicaid system. The breach happened through the state鈥檚 coordinated care organizations, the Medicaid insurers that contract with PH TECH, which Wednesday.

The Oregon Health Authority, which oversees coordinated care organizations, also issued an alert about the breach.

The breach of MOVEit is the same that affected Oregon鈥檚 Department of Motor Vehicles, which that the personal information of 3.5 million Oregonians with drivers licenses and identification cards were affected. The DMV waited about two weeks to alert the public.

PT TECH knew that hackers had obtained personal information of those who used its services in mid-June. But it wasn鈥檛 until this past Monday that the company sent letters to those affected 鈥 about six weeks later. Those affected will be offered one year of free credit monitoring, and the mailed notices will be translated into the appropriate language.

Company officials are not going to call or email those affected, even though many live in unstable situations, moving a lot and even living on the streets.

It said in the release that it alerted its clients 鈥 coordinated care organizations 鈥 about the breach the same day it was informed. But the insurers did not alert its clients 鈥 those who were affected.

In a statement to the Capital Chronicle, PH TECH said it takes data breaches seriously.

鈥淪ecurity breaches are complex and it can take time to fully understand the impact and notify those affected. In this case, several concurrent investigations were underway to assess what happened and what needed to be done to address the security vulnerability, as well as prevent it from happening again,鈥 it said in a statement to the Capital Chronicle. 鈥淏ecause this security incident compromised both personal and protected health information it required additional steps and precautions. From the time we became aware of the issue, PH TECH worked immediately and collaboratively with cyber security experts, as well as all impacted client partners, to respond with certainty and accuracy. Notifications to all those affected occurred well within the required timelines.鈥

Becca Thomsen, a spokeswoman for CareOregon, one of the largest Medicaid insurers in Oregon, said in an email that the organizations waited because the breach affected a contractor and they wanted to have a coordinated public information strategy.

鈥淭o aid in public understanding, impacted organizations contributed to a single press release and member notification strategy,鈥 Thomsen said. 鈥淣otifications distributed this week meet reporting standards of 45-days post-notification.

Files downloaded by the hackers included people鈥檚 names, birth dates, Social Security numbers, addresses and email addresses 鈥 the same data obtained through the DMV breach. But this time hackers reaped a wealth of private medical information protected by federal privacy laws. Data obtained includes enrollment, authorization and claim information. Hackers also obtained diagnosis codes that doctors and insurers use to refer to specific diseases or conditions, procedure codes and authorization information.

The Oregon Health Authority said PH TECH conducted an 鈥渆xtensive forensic analysis through July 25. This analysis identified the individuals who were affected so OHP members could be notified.

A recent email from a spokeswoman for the DMV said that agency still had no idea who had been affected. The agency opted to issue a general alert to everyone, regardless of whether they were affected.

Besides the free credit monitoring, everyone is entitled by law to a free report from each of the three credit agencies, Equifax, Experian and TransUnion. To request a free report, go to or call 877-322-8228.

The health authority urged everyone to monitor their credit.

鈥淚t鈥檚 disheartening that bad actors are looking to exploit people in our state and that their actions create a burden for others, who have more than enough to manage already. However, there are important steps that OHP members can take to further protect their data,鈥 Dave Baden, interim health director, said in a statement.

Here鈥檚 how to contact the credit monitoring companies:

  • Equifax:  or 800-685-1111 
  • Experian:  or 888-397-3742
  • TransUnion:  or 1-888-909-8872 

Residents should check for transactions or accounts they don鈥檛 recognize, and if they see strange transactions, call the appropriate banks or credit card company to report them. The Federal Trade Commission also has information on identity theft at .

Security officials advise people to freeze their credit if they鈥檙e worried about identity theft. That can be done through each of the three credit monitoring companies. Credit can be frozen and lifted as necessary.

The  is a professional, nonprofit news organization. We are an affiliate of , a national 501(c)(3) nonprofit supported by grants and a coalition of donors and readers. The Capital Chronicle retains full editorial independence, meaning decisions about news and coverage are made by Oregonians for Oregonians.

Lynne Terry has more than 30 years of journalism experience. She reported on health and food safety in her 18 years at The Oregonian, was a senior producer at Oregon Public Broadcasting and Paris correspondent for National Public Radio for nine years.