Data Breach Hits OHP Contractor, Compromising 1.7M Clients’ Data

OHP, PH Tech encourage OHP clients to enroll in credit card monitoring.

Share this article!

Performance Health Technology, a technology contractor engaged by the Oregon Health Plan, disclosed Tuesday that it had been hit by a “coordinated attack” by hackers who may have accessed the personal information of as many as 1.7 million OHP clients.

The contractor issued a press release Tuesday saying that on May 30, someone exploited a security vulnerability in Progress MOVEit, a software product several state agencies use. The release says PH Tech learned about the incident on June 16. The information accessed varies from person to person but includes personal information, including names and social security numbers as well as protected health information like member ID numbers, diagnosis codes and claim information.

The company says it disabled access to the platform and fixed the security vulnerability, and has directly contacted customers to offer free identity-theft protection services through IDX, a data-breach response service.

Also Wednesday morning, the Oregon Health Authority issued a press release encouraging OHP members to watch for additional information, to request a free credit report from each of the three major consumer reporting companies — EquifaxTransUnion and Experian — and to contact PH Tech directly if they need further assistance.

“We’re urging OHP members to activate credit monitoring as a precaution,” Dave Baden, interim director at OHA, said in the health authority’s release. “It’s disheartening that bad actors are looking to exploit people in our state and that their actions create a burden for others, who have more than enough to manage already. However, there are important steps that OHP members can take to further protect their data.”

OHA is the second state agency to experience a data breach this year. In June Oregon Driver & Motor Vehicle Services — which also uses MOVEitconfirmed that 3.5 million driver’s license and identification card files were compromised in a hack that happened earlier that month.