Mike Rogoway reports that Oregon’s worker’s compensation insurer, SAIF Corp., experienced a breach in October that potentially compromised policyholders’ information and workers’ compensation claimants’ personal and medical information.
On their breach-related site maintained for them by IDX, SAIF explains that on October 24, there was a brief period during which an unauthorized individual or individuals were able to access and acquire files from their network. They write:
Following an analysis of that data by third-party cybersecurity experts, we have evidence to suggest that the majority of the accessed data was from information collected prior to 2003. If you had a policy or a claim before January 1, 2003, there is a possibility that your data was compromised. For policyholders, that data may have included Social Security numbers, financial account numbers, and medical information about employees of policyholders. For claimants, the data may have included Social Security numbers, driver’s license numbers, financial account numbers, health insurance policy numbers, and medical history information.
They offer no statement as to why they were still storing files from prior to 2003, but a spokesperson for SAIF sent DataBreaches the following statement in response to our question about whether retention was required:
SAIF is subject to ORS 192 requiring records retention and our specific record retention schedule is approved by the Oregon State Archivist. SAIF is required to retain policy files and worker accident claim files for 75 years from the date of the policy or, in the case of a claim, the worker’s injury.
DataBreaches also inquired whether the old files had been connected to the internet without any encryption. The spokesperson responded:
We moved to all electronic files and, as part of this, scanned older paper files. The files were not encrypted but stored on an internal system not exposed to the internet through any of SAIF’s customer facing systems.
SAIF’s statement also states:
There is also evidence a limited amount of recent claimant data may have been impacted. If you are a claimant and received any written communication from SAIF on your claim dated between September 24, 2022, and October 25, 2022, there is a possibility that data was also compromised. This data was limited to the accepted and denied medical conditions in the claim.
According to Rogoway, SAIF notified customers on Dec. 8. The number of people possibly affected has not been disclosed at this point.
In response to another queston from DataBreaches about whether SAIF has received any ransom message or communication, the spokesperson responded that SAIF did not receive a ransom message.