A whopping 1,750,000 health plan members in Oregon had their protected health information (PHI) compromised when hackers attacked a practice management company that serves community based health plans.
Performance Health Technologies (PH Tech) is another victim of of the MOVEit data breach and is now facing a HIPAA investigation and multiple class action lawsuits. PH Tech used the MOVEit file transfer program in its work, so the security flaw in the MOVEit program allowed the hackers to break in to files held by PH Tech. PH Tech is a HIPAA business associate and its customer, Health Share Oregon, is a covered entity.
The breach notice posted on its website explains that the cyber attack took place on May 30, 2023 and PH Tech learned about it on June 16, 2023. Hackers were able to download PH Tech files containing personal and protected health information of health plan members.
Hackers accessed enrollment, authorization, and claims files. The information compromised varies by person, and might include name, date of birth, social security number, mailing address, member ID number, plan ID number, email address, authorization information, diagnosis code, procedure code, and claim information.
This is one of two cyber attacks on Oregon state agencies caused by the MOVEit software. The Oregon Department of Motor Vehicles announced in mid June that an estimated 3.5 million driver’s license and identification card files were compromised by the MOVEit breach.
Lawsuits are Piling Up
When a healthcare data breach affects a large number of people, class action lawsuits often follow. So far, at least two proposed class actions have been filed against PH Tech in the U.S. District Court of Oregon: Ballard v. Performance Health Technology, Ltd.; and Malo v. Performance Health Technology, Ltd.
Even though the breach occurred through a flaw in another company’s software, PH Tech is not off the hook. The question is whether PH Tech had strong cybersecurity protections in place to prevent and detect cyber attacks. The plaintiffs who filed the lawsuits think not.
Both lawsuits allege PH Tech was negligent for failing to secure the personal information of the plaintiff and failing to comply with industry standards for protecting information systems. The Ballard lawsuit claims PH Tech failed to monitor its servers for potential security issues and the Malo lawsuit claims that PH Tech violated HIPAA’s Privacy and Security Rules and FTC guidelines – note, this is not a HIPAA lawsuit per se, but HIPAA is being held up as a standard of practice to measure against.
The lawsuits also allege breach of implied contract, unjust enrichment, and violations of the Oregon Unfair Trade Practices Act. They ask the court to require PH Tech to improve data security, train its staff, and improve access controls and firewalls.
The lawsuits claim that the plaintiffs’ medical identity is at risk, and that they face imminent and ongoing harm from the misuse of their data and will need to monitor their financial and personal records for years to come. Both lawsuits seek damages in excess of $5 million.
The outcome of the lawsuits is not guaranteed, and the final results are far in the future. In the meantime, PH Tech is likely already making improvements to its cybersecurity programs and strengthening its HIPAA compliance to reduce the chance of this happening again.