Hackers have gained access to the personal information of 1.7 million current and former Medicaid members in Oregon.
The breach dates to May 30. Hackers exploited a vulnerability in a file transfer program, MOVEit, to obtain the personal and medical information of members of the Oregon Health Plan, the state’s Medicaid system. The breach happened through the state’s coordinated care organizations, the Medicaid insurers that contract with PH TECH, which announced the breach Wednesday.
The Oregon Health Authority, which oversees coordinated care organizations, also issued an alert about the breach.
The breach of MOVEit is the same that affected Oregon’s Department of Motor Vehicles, which announced mid-June that the personal information of 3.5 million Oregonians with drivers licenses and identification cards were affected. The DMV waited about two weeks to alert the public.
PT TECH knew that hackers had obtained personal information of those who used its services in mid-June. But it wasn’t until this past Monday that the company sent letters to those affected – about six weeks later. Those affected will be offered free credit monitoring, and the letters will be translated into the members’ languages when appropriate.
Company officials are not going to call or email those affected, even though many live in unstable situations, moving a lot and even living on the streets.
It said in the release that it alerted its clients – coordinated care organizations – about the breach the same day it was informed. But the insurers did not alert its clients – those who were affected.
In a statement to the Capital Chronicle, PH TECH said it takes data breaches seriously and that it moved its system offline when it knew about the breach and also informed the FBI.
The statement did not directly address the reasons for waiting to inform Medicaid members.
“Security breaches are complex and it can take time to fully understand the impact and notify those affected. In this case, several concurrent investigations were underway to assess what happened and what needed to be done to address the security vulnerability, as well as prevent it from happening again,” it said in the statement. “Because this security incident compromised both personal and protected health information it required additional steps and precautions. From the time we became aware of the issue, PH TECH worked immediately and collaboratively with cyber security experts, as well as all impacted client partners, to respond with certainty and accuracy. Notifications to all those affected occurred well within the required timelines.”
Becca Thomsen, a spokeswoman for CareOregon, one of the largest Medicaid insurers in Oregon, indicated in an email that coordinated care organizations waited to inform members because the breach affected a contractor and they wanted to have a coordinated public information strategy.
“To aid in public understanding, impacted organizations contributed to a single press release and member notification strategy,” Thomsen said. “Notifications distributed this week meet reporting standards of 45-days post-notification.
Files downloaded by the hackers included people’s names, birth dates, Social Security numbers, addresses and email addresses – the same data obtained through the DMV breach. But this time hackers reaped a wealth of private medical information protected by federal privacy laws. Data obtained includes enrollment, authorization and claim information. Hackers also obtained diagnosis codes that doctors and insurers use to refer to specific diseases or conditions, procedure codes and authorization information.
The Oregon Health Authority said PH TECH conducted an “extensive forensic analysis through July 25. This analysis identified the individuals who were affected so OHP members could be notified.
A recent email from a spokeswoman for the DMV said that agency still had no idea who had been affected. The agency opted to issue a general alert to everyone, regardless of whether they were affected.
Besides the free credit monitoring, everyone is entitled by law to a free report from each of the three credit agencies, Equifax, Experian and TransUnion. To request a free report, go to www.annualcreditreport.com or call 877-322-8228.
Here’s how to contact the credit monitoring companies:
- Equifax: equifax.com/personal/credit-report-services or 800-685-1111
- Experian: experian.com/help or 888-397-3742
- TransUnion: transunion.com/credit-help or 1-888-909-8872
Residents should check for transactions or accounts they don’t recognize, and if they see strange transactions, call the appropriate banks or credit card company to report them. The Federal Trade Commission also has information on identity theft at www.consumer.gov/idtheft/.
Security officials advise people to freeze their credit if they’re worried about identity theft. That can be done through each of the three credit monitoring companies. Credit can be frozen and lifted as necessary.
Oregon Capital Chronicle is part of States Newsroom, a network of news bureaus supported by grants and a coalition of donors as a 501c(3) public charity. Oregon Capital Chronicle maintains editorial independence. Contact Editor Lynne Terry for questions: [email protected]. Follow Oregon Capital Chronicle on Facebook and Twitter.
STORY TIP OR IDEA? Send an email to Salem Reporter’s news team: [email protected].