Performance Health Technology (PH Tech), an Oregon-based provider of data management services to health insurers, is being sued by individuals who had their protected health information (PHI) compromised in a recent cyberattack. The attack on PH Tech was conducted by the Clop hacking group, which exploited a zero-day vulnerability in Progress Software’s MOVEit Transfer file transfer solution. The vulnerability was exploited on May 28, 2023, and Progress Software informed PH Tech about the flaw on June 2. The review of the affected files revealed that the data of several of its clients was stolen, including that of the Oregon Medicaid coordinated care organization, Health Share of Oregon.

The compromised information varied from individual to individual and included names, dates of birth, Social Security numbers, addresses, member ID numbers, plan ID numbers, email addresses, authorization information, diagnosis codes, procedure codes, and claim information. PH Tech explained in its notification letters that access to the platform was disabled as soon as the vulnerability was discovered, the patch was applied when it was released by Progress Software, and the MOVEit platform was rebuilt to prevent further unauthorized access.

PH Tech was one of hundreds of companies to have the vulnerability exploited. The Clop hacking group is known to have attacked at least 677 companies by exploiting the vulnerability and the records of more than 42 million individuals were stolen in the attacks.  The vulnerability was discovered and exploited by the Clop group before it was known to Progress Software and no patch was available at the time the vulnerability was exploited.

At least two lawsuits have now been filed in District Court in Oregon in response to the data breach that name PH Tech as a defendant – Ballard v. Performance Health Technology, Ltd. & Malo v. Performance Health Technology, Ltd. The Ballard lawsuit names PH Tech customer Jordinn Ballard as the plaintiff, and the Malo lawsuit names Katelin Malo as plaintiff, individually, and as the natural parent and next friend of K.J., a minor, and Corrinna Reed and Joann Kindred.

The lawsuits both allege PH Tech was negligent for failing to secure the personally identifiable (PII) and personal health information (PHI) of the plaintiffs and class members and failing to comply with industry standards for protecting information systems. The Ballard lawsuit claims PH Tech failed to monitor its servers for potential security issues and the Malo lawsuit claims that PH Tech’s lax security was a violation of the Health Insurance Portability and Accountability Act’s (HIPAA) Privacy and Security Rules and a violation of FTC guidelines.

In addition to negligence, the Malo lawsuit alleges negligence per se, breach of implied contract, unjust enrichment, and violations of the Oregon Unfair Trade Practices Act. The lawsuit also seeks an order from the court requiring PH Tech to improve data security, including engaging third-party security auditors to conduct testing, penetration testing, and audits of PH Tech’s systems, run automated security monitoring, train its staff, and improve access controls and firewalls.

The lawsuits claim that the plaintiffs’ sensitive data is in the hands of cybercriminals and that they face imminent and ongoing harm from the misuse of their data and will need to monitor their financial and personal records for years to come. Both lawsuits seek class action status, a jury trial, and damages in excess of $5 million.

The post Performance Health Technology Facing Class Action Lawsuits Over MOVEit Cyberattack appeared first on HIPAA Journal.