Hackers behind the mass-exploitation of a vulnerability in the popular corporate file transfer tool MOVEit Transfer have accessed the protected health information of 1.7 million Oregon citizens.
Performance Health Technology (PH Tech), a company that provides data management services to U.S. healthcare insurers, confirmed in a notice this week that it was impacted by the MOVEit mass-hacks. “We found out that an unauthorized person used the Progress MOVEit’s software and that PH Tech data files were downloaded,” the organization said in a notice on its website.
PH Tech said that hackers accessed patients’ personal and protected health information, including names, dates of birth, Social Security numbers, email and postal addresses, member and plan ID numbers. The hackers also accessed sensitive health information, including insurance authorizations, diagnosis and procedure codes, and claims information.
PH Tech hasn’t said how many individuals were affected by the breach of its systems. However, a separate notice from the Oregon Health Authority states that an estimated 1.7 million of its members were affected.
“We’re urging [Oregon Health Plan] members to activate credit monitoring as a precaution,” Dave Baden, interim director of the Oregon Health Authority, said in a statement. “It’s disheartening that bad actors are looking to exploit people in our state and that their actions create a burden for others, who have more than enough to manage already.”
Second breach of Oregon data
As this latest breach demonstrates, the fallout from the MOVEit mass-hacks continues to grow.
The Oregon Health Authority is the second Oregon state agency to experience a MOVEit-related data breach. In June, the Oregon Department of Transportation confirmed it had been hit by the mass-hacks, leading to the compromise of 3.5 million driver’s license and identification cards.
Last week, Maximus, a U.S. government services contractor, said that hackers accessed the protected health information of as many as 11 million individuals in a MOVEit-related breach. More than 600,000 of those affected are Medicare beneficiaries, according to a statement by the Centres for Medicare and Medicaid Services.
Serco, a contractor for the U.S. government, said in a breach notification filed this week that hackers accessed the personal information of more than 10,000 employees from its benefits administrator, and Pennsylvania’s Allegheny County confirmed a breach impacting almost a million residents.
According to the latest figures from cybersecurity company Emsisoft, there are currently 580 known MOVEit victims, impacting the personal data of more than 40 million individuals.
Clop, the Russia-linked hacking group responsible for the wave of mass-attacks, continues to list new victims on its dark web leak site — and publish data it claims to have stolen from targeted organizations. The list includes U.K. communications regulator Ofcom, Dutch GPS company TomTom and the U.S. Department of Energy.