Skip to main content

Trillium Community Health, tech companies sued over data breach

In a class action suit, an Oregon Health Plan member is suing over data a Russian hacker gang is already using for ransom
August 31, 2023

An Oregon Medicaid recipient has filed a class action federal lawsuit against a regional insurer and two technology companies alleging they didn’t do enough to stop a data breach that allows hackers to access personal data of millions of people on the low-income insurance health insurance program. 

The lawsuit was filed on Monday in U.S. District Court in Portland against Trillium Community Health Plan, one of the state’s 16 coordinated care organizations that manage services to recipients of the Medicaid-funded Oregon Health Plan. It also targets Burlington, Massachusetts-based Progress Software and Salem, Oregon-based Performance Health Technology for their alleged role in the breach.

The lawsuit was filed on behalf of Jennifer Hopkins, an Oregon Health Plan recipient who was affected by the data breach. Hopkins is described in the lawsuit as being particularly careful with her personal data but because of the breach will now have to spend more time monitoring her accounts for fraudulent activity and verifying the legitimacy of communications. 

“This time has been lost forever and cannot be recaptured,” reads the lawsuit, which also notes the annoyance and anxiety affecting Hopkins. “The harm caused to Plaintiff cannot be undone.”

The lawsuit could be the beginning of an ongoing legal mess following the announcement of the breach in August. It does not specify the amount of damages it is seeking to recover for victims of the data breach and more victims of the data breach could sign on. 

The data breach centered on MOVEit, a file transfer program that has been the subject of hacks elsewhere. Russian cyber gang Clop has taken responsibility for the hack and has already begun using it to ransom and exploit data it obtained from MOVEit. 

MOVEit is owned by Progress software. A spokesperson for MOVEit responded to a request for a comment from The Lund report with an emailed statement. 

“We do not comment on pending litigation as our focus remains on working closely with customers so they can take the steps needed to further harden their environments, including applying the patches we have developed,” reads the statement. 

Trillium and Performance Health Technology did not immediately respond to a request for comment from The Lund Report.

Performance Health Technology immediately took action after finding out about the breach of MOVEit in June, taking its system offline and launching an investigation, according to a statement on its website. The company is currently offering theft protection services to affected people through IDX. 

However, the lawsuit argues that the companies should have taken more precautions given the number of highly publicized data breaches and that 392 million people had their personal information stolen in 2022. Specifically, the lawsuit accuses the companies of not following guidelines by the United States Cybersecurity & Infrastructure Security Agency and the Federal Trade Commission. 

“Defendants were, or should have been, fully aware of the unique type and the significant volume of data on their network, amounting to potentially millions of individuals’ detailed, personal information and, thus, the significant number of individuals who would be harmed by the exposure of the unencrypted data,” reads the lawsuit.