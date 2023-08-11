Health Data Company Sued After Russian Hackers Steal 1.7 Million People’s Medical Records - The Messenger
Business.
Health Data Company Sued After Russian Hackers Steal 1.7 Million People’s Medical Records

A Russian hacking collective stole social security numbers and personal patient health data earlier this year

William Gavin
The U.S. Office of Civil Rights is actively investigating 901 data breaches that affected the healthcare industry over the last two years.boonchai wedmakawand/Getty Images

Performance Health Technology, an Oregon company that provides data management services to healthcare insurers, was hit with two class action lawsuits this week after Russian hackers exposed the private information of 1.7 million people in May.

Both lawsuits allege that PH Tech failed to secure customers’ data on file transfer service MOVEit Transfer, which was accessed by Russian hacking group “Clop” on May 28 through a security flaw. The company told customers it discovered the attack on its server on June 2. Later that month PH Tech determined that data it received from Health Share of Oregon, the state's largest Medicaid coordinated care organization, was exposed, according to the class action suit filed on Aug. 7.

Separately, plaintiffs in each lawsuit affirmed that there are over 100 class members and they are seeking over $5 million. 

The data breach has left users at risk “for their respective lifetimes,” according to the Aug. 10 lawsuit filed by PH Tech customer Jordinn Ballard. Katelin Malo, one of the plaintiffs in the Aug. 7 lawsuit, alleges that both she and her son, who is a minor, have had their social security numbers and other information exposed by the hack.

“The Private Information compromised in the Data Breach contained highly sensitive data, representing a gold mine for data thieves,” Ballard's suit alleges. “The data included, but is not limited to, Social Security numbers, member and plan ID numbers, and [private health information] that PHT collected and maintained.”

The Aug. 10 lawsuit also alleges that PH Tech failed to properly monitor its servers for potential issues, which compromised its users private information. Malo's lawsuit further claims that the company’s should have been more vigilant, considering both the industry it operates in and the nature of the data it managed. 

The U.S. Office of Civil Rights currently has 901 active investigations into data breaches in the healthcare center that occurred over the last 24 months, according to its online portal. While healthcare data breaches have consistently increased since 2012, they’ve spiked in recent years. There were over 700 breaches reported in 2021, up from 500 in 2019 and slightly more than 200 breaches in 2012, according to the U.S. Department of Health and Human Services. 

The Aug. 7 lawsuit alleges that PH Tech has not yet reported the breach to the U.S. Department of Health and Human Service, the Office of Civil Rights or the Oregon Department of Justice, as required.

The MOVEit-related breach was not targeted at PH Tech alone. Cybersecurity company Emsisoft said there are currently 560 MOVEit victims, which has impacted the personal data of more than 40 million people, according to TechCrunch.

The Russian hackers are listing new victims, including the U.S. Department of Energy and U.K. communications regulator Ofcom, on its dark web leak site, TechCrunch reported last week.

