<img src="https://ad.doubleclick.net/ddm/activity/src=11631230;type=pagevw0;cat=pw_allpg;dc_lat=;dc_rdid=;tag_for_child_directed_treatment=;tfua=;npa=;gdpr=${GDPR};gdpr_consent=${GDPR_CONSENT_755};ord=1;num=1?" width="1" height="1" alt=""> Progress MOVEit Breaches Expose PHI and PII for Over 80% of Oregon's Population

Progress MOVEit Breaches Expose PHI and PII for Over 80% of Oregon's Population

TABLE OF CONTENTS

    See Virtru In Action

    { content.featured_image.alt }}

    When you think about the personal information that's most valuable to you — the data you really want to keep private and secure — your healthcare information is probably high on the list. Your personal identification, such as your driver's license, is almost certainly up there, too. 

    For more than 80% of Oregon's residents, that valuable personal data has been compromised. Two major cyber attacks exploiting vulnerabilities in Progress MOVEit Transfer have exposed personally identifiable information (PII) and protected health information (PHI).

    A hack of the Oregon DMV System put all Oregon state ID and driver's license data at risk (3.5 million Oregonians, over 80% of the state's population of 4.2 million), and a hack of an Oregon Health Plan contractor included PII and PHI data for over 1.7 million individuals.

    In this article, we'll explore what we know about these attacks, what we can learn from the outcomes, and what they mean for state and local cybersecurity strategies moving forward.

    Let's Start With the Data: State and Local Government Agencies and Supply Chains

    Oregon isn't alone in its predicament: Other state government agencies, including the Louisiana DMV and the Minnesota Department of Education, have also experienced data breaches as a result of the same MOVEit vulnerabilities. The two large-scale breaches in Oregon, however, put a spotlight on the massive scale of constituent data that governments manage. Oregon's DMV alone manages PII for over 80% of Oregonians.

    What's in it for the hackers? Valuable data, which means valuable leverage (as we see in ransomware attacks) and, in many cases, valuable insights for espionage.

    It's easy to see why government agencies are increasingly targeted by sophisticated cyber attacks: They've got high volumes of high-value data. Each government entity can house massive amounts of constituent information, and that PII and PHI may be accessible in multiple locations across that agency's systems and platforms — not to mention the fact that several vendors and contractors may also have access. 

    In the U.S., when you multiply that out across 50 states and the many interconnected agencies that make up a state government — including down to the local level, like city governments, law enforcement, and school districts — and you include each of those organization's vendors who have system or data access, you discover that PII and PHI data lives, and moves, everywhere.

    As we examine these complex security challenges that states face, it's important to understand what happened with the two major breaches in Oregon.

    The Oregon Health Plan Contractor Hack: Timeline & Exposed Data 

    The Oregon Health Plan is the state's program for Medicaid and children's healthcare coverage. An Oregon Health Plan contractor, PH Tech, disclosed that it experienced a data breach resulting from a vulnerability in Progress MOVEit software. Here's what happened: 

    • May 30, 2023: The date of the incident, in which an unauthorized individual used Progress MOVEit software to download PH TECH data files. This incident was undetected at the time of the attack.
    • June 2, 2023: PH Tech was informed of the Progress MOVEit vulnerability, immediately took its system offline, launched an investigation, and informed the FBI.
    • June 16, 2023: The investigation revealed that the incident had taken place May 30, and that some of its customers were affected. Those customers were notified same day.

    The Oregonian reports that 1.7 million clients were impacted — and because of the nature of the Oregon Health Plan, we can assume that low-income families and children will see the most significant ramifications. According to PH Tech, the exposed information is believed to include:

    • Names
    • Dates of birth
    • Social security numbers
    • Mailing addresses
    • Email addresses
    • Health records that could include diagnoses, procedures, claims and member and plan ID numbers

    That's a lot of critical data, for nearly half of the population of Oregon. In conjunction with IDX, the organization is providing free identity theft protection to those affected. 

    The Oregon DMV Cyber Attack: Timeline & Exposed Data

    A cyber attack, also exploiting vulnerabilities in the Progress MOVEit software, also targeted the Oregon Division of Motor Vehicles (DMV). The Oregon Department of Transportation released a statement detailing the sequence of events and the data exposed as a result of the breach:

    • June 1, 2023: The State of Oregon became aware of a vulnerability in Progress MOVEit.
      Upon learning of the problem, the Oregon Department of Transportation (ODOT) quickly activated its emergency response procedures. ODOT worked with state cybersecurity professionals to immediately secure affected systems. ODOT also took immediate steps to investigate what, if any, of its information was affected by the vulnerability.
    • June 12, 2023: It was confirmed that the actors behind the hack of MOVEit Transfer accessed ODOT's data. This data contains personal information for approximately 3.5 million Oregonians. Even though the ODOT data was encrypted, it is widely understood that the hackers were able to read the data because of the vulnerability in MOVEit
    • June 15, 2023: ODOT notified the public about the MOVEit Transfer breach. ODOT notes that anyone with an active Oregon driver's license, ID card, or permit should assume their personal information was exposed in the hack, and that affected individuals should take action to avoid any misuse.

    Unfortunately, citizens' ability to make any changes to their ID information is limited: The announcement states that the DMV "also cannot change the number on your card unless there is proof that your name and number were used in committing a fraudulent act. If that happens, you should first call police to report the crime." 

    The ODOT states "data records for Oregon driver's licenses, permits, and ID cards" were accessed in the cyber attack.

    Moving Forward: Diversifying Data Security 

    Whether you've patched your MOVEit software and want to continue with that vendor, or if you're looking for new solutions, here are some ways to bolster your cybersecurity moving forward.

    Create Layers of Security

    Diversification isn't just good for your financial portfolio. It's also good for your security stack. A strong cybersecurity strategy is layered, with protections in place to safeguard systems, apps, endpoints, and — critically — the data itself. If, and when, one layer of your security stack fails, you want additional layers to pick up the slack and reduce the overall impact. 

    Separate Data and System Access

    It's also wise to create degrees of separation between access to systems and access to data. As we saw in the Microsoft cloud vulnerability that exposed government email data, when data access and system access are intertwined, hackers may be able to exploit entire systems, quietly exfiltrating large volumes of highly sensitive data in one fell swoop. When you separate data and system access, should someone gain unauthorized access to your systems, they won’t automatically have access to the data, too.

    Limit Data Access Based on Need

    Rather than granting access to entire servers, drives, or even folders containing sensitive information, manage data access in a way that makes sensitive information accessible only to those with a true business need to know. Implementing tools with granular, attribute-based access control (connected to your identity and access management, IAM, platform) can go a long way in mitigating potential risk.

    Focus on the Data

    Not sure where to start? Start with the data. After all, the data itself is the asset you're trying to protect. It's the target of cyber attacks and exfiltrations. Data is your most valuable asset — so when you focus there, other layers of cybersecurity strategy will fall into place. 

    Want to Assess Your Security Posture? Let's Talk. 

    At Virtru, we recognize that no one vendor will solve your entire security picture. However, our technology can integrate with your most commonly used apps — from Google Workspace to Microsoft 365, Salesforce, and Zendesk — to apply powerful, data-centric security and encryption to sensitive data. If person-to-person secure file-sharing workflows are important to your organization and you're looking to move away from Progress MOVEit, Virtru Secure Share may well provide the secure file-sharing capabilities you're looking for. 

    Our split-knowledge architecture, granular access control, and military-grade encryption provide robust security that follows data anywhere it moves. We'd love to be one of the foundational, data-centric layers of your security strategy: Contact our team today to book a demo

    Megan Leader

    Megan Leader

    Megan is the Director of Brand and Content at Virtru. With a background in journalism and editorial content, she loves telling good stories and making complex subjects approachable. Over the past 15 years, her career has followed her curiosity — from the travel industry, to payments technology, to cybersecurity.

    View more posts by Megan Leader

    See Virtru In Action