Cyber Incident Victim: Performance Health Technology

On or around May 30, 2023, a coordinated data hack occurred against the systems of Progress MOVEit, a company that provides software for the secure electronic transfer of files. This external system breach, or hacking, created a vulnerability that could allow attackers to access its system and download files. Performance Health Technology (PH TECH), a private healthcare vendor providing services to the Oregon Health Plan (OHP) to help manage member data, utilized the Progress MOVEit software. On June 2, 2023, Progress MOVEit informed PH TECH of the breach in its software. Upon being notified, PH TECH immediately moved its affected system offline and initiated an investigation to determine if its systems were compromised. The company engaged a cybersecurity firm to assist with the forensic analysis and also notified the Federal Bureau of Investigation (FBI) of the incident.

The investigation confirmed that an unauthorized individual had exploited the vulnerability in the Progress MOVEit software and successfully downloaded PH TECH data files. The breach occurrence date was confirmed to be May 30, 2023, though PH TECH did not discover that its specific data had been affected until June 16, 2023. On that same day, PH TECH began notifying its customers whose data it protected that their information had been involved in the incident. The forensic analysis to identify the full scope of impacted individuals continued through July 25, 2023. PH TECH estimated that approximately 1.7 million individuals in total were affected by this breach, including 27 residents of the state of Maine.

The information accessed by the unauthorized actor consisted of data files that PH TECH protects on behalf of its customers. The compromised data included both personal information and protected health information sourced from various files such as those related to enrollment, authorization, and claims. The specific information exposed varied from person to person but potentially included name, date of birth, social security number, address, member ID number, plan ID number, email address, authorization information, diagnosis code, procedure code, and claim information. The breach did not involve or compromise any state systems directly.

In response to the incident, PH TECH took several containment and remediation actions. The primary step was to immediately disable access to the vulnerable platform upon learning of the issue from Progress MOVEit. The company then addressed the specific problem and rebuilt the method of accessing the platform to ensure that no further unauthorized access to files could be obtained through the Progress MOVEit software. This action was taken to secure the system against future exploitation via the same vulnerability.

PH TECH provided notification of the breach to affected individuals. The method of notification was written, and the mailing of letters to impacted individuals began on July 31, 2023. The letters included information about the incident and an offer of free credit monitoring and identity theft protection services. These services were provided through the vendor IDX and included credit monitoring, identity theft protection and insurance, and dark web monitoring for a duration of twelve months. Additionally, affected individuals were offered identity theft recovery services at no cost, if needed. The deadline for individuals to enroll in these free services was set for January 30, 2024. A dedicated resource was established for inquiries, directing individuals to visit a specific website or call a toll-free number operated by IDX, whose representatives were briefed on the incident.

The Oregon Health Authority (OHA) publicly addressed the breach, urging Oregon Health Plan members to monitor their credit as a precautionary measure following PH TECH's announcement. The interim director of OHA characterized the event as disheartening and noted that the actions of the bad actors created an additional burden for those affected. The scale of the breach, affecting 1.7 million people, marked it as a significant cybersecurity event involving a third-party vendor in the healthcare sector. The incident was formally reported to the Office of the Maine Attorney General, as required by data breach notification laws, due to the impact on a small number of that state's residents.