Vendor Data Breach Impacts 1.7M Oregon Health Plan Members

August 09, 2023 - Oregon Health Plan (OHP) notified 1.7 million members of a data breach that originated at one of its vendors, PH TECH, which offers a platform and administrative services for community health plans, suffered a breach due to a cyberattack on Progress Software’s MOVEit Transfer software.

As previously reported, dozens of organizations around the world have been reporting breaches stemming from a vulnerability in the MOVEit Transfer software, including Allegheny County in Pennsylvania, UT Southwestern Medical Center, and Johns Hopkins All Children’s Hospital.

At PH TECH, following notification from Progress Software, the company immediately moved its system offline and informed the FBI of the incident.

Further investigation determined that an unauthorized party used the MOVEit Transfer software and downloaded sensitive files that included names, Social Security numbers, dates of birth, addresses, authorization information, diagnosis and procedure codes, member ID numbers, and claim information.

PH TECH said that it disabled access to the platform, rebuilt how individuals can access the platform, and notified impacted individuals.

“We’re urging OHP members to activate credit monitoring as a precaution,” said Dave Baden, interim director at the Oregon Health Authority, in a news release.

“It’s disheartening that bad actors are looking to exploit people in our state and that their actions create a burden for others, who have more than enough to manage already. However, there are important steps that OHP members can take to further protect their data.”

Baden encouraged impacted individuals to watch out for additional information from PH TECH in the mail, request credit reports, and enroll in ID theft recovery services if needed.

Prospect Medical Holdings Faces Ransomware Attack

Prospect Medical Holdings, which operates 16 hospitals and more than 165 clinics across Southern California, Rhode Island, Pennsylvania, and Connecticut suffered a ransomware attack, the New York Times reported.

As of August 9, organizations across the network are still experiencing a systemwide outage. At Eastern Connecticut Health Network (ECHN), the outpatient medical imaging and outpatient blood draw centers are closed until further notice.

Hospitals across the Prospect Medical Holdings network, including Waterbury Hospital in Connecticut, Crozer Health in Delaware, and CharterCARE Health Partners in Rhode Island are all experiencing service disruptions.

This article will be updated as more information becomes available.

170K Impacted by Data Breach at The Chattanooga Heart Institute

The Chattanooga Heart Institute in Tennessee notified 170,450 individuals of a recent data breach that occurred when an unauthorized party gained access to the institute’s network between March 8 and March 16, 2023.

The Chattanooga Heart Institute discovered the cyberattack on April 17 and later learned that the unauthorized party had obtained copies of patient data. The attacker did not access the institute’s electronic medical record (EMR) system.

The information included in the breach consisted of names, phone numbers, email addresses, driver’s license numbers, Social Security numbers, health insurance information, diagnosis information, lab results, and other clinical and demographic information.

“Upon discovering the event, The Chattanooga Heart Institute moved quickly to investigate and respond to the incident, assess the security of The Chattanooga Heart Institute systems, and identify potentially affected individuals,” the breach notice stated.

MHMR Authority of Brazos Valley Suffers Data Security Incident

MHMR Authority of Brazos Valley in Texas notified more than 83,000 individuals of a data breach that impacted employees and patients of the nonprofit community health center.

MHMR suffered a security incident on November 5, 2022 and took immediate steps to secure its systems. Further review determined that names, Social Security numbers, financial account information, username and access information, medical record numbers, medical treatment information, and health insurance information were involved in the breach.

Despite HIPAA’s 60-day notification rule, MHMR notified impacted individuals of the breach on July 28, 2023, many months after the initial breach discovery.

MHMR said it has since implemented additional security measures to prevent future incidents.