DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Health data of more than 8 million people accessed by MOVEit hackers: US govt contractor

Posted on July 28, 2023 by Dissent

In what may be the largest health data breach reported so far in 2023, a government contractor affected by the MOVEit breach disclosed the breach in an SEC filing.  ANS reports:

Maximus, a US government services contracting company, has confirmed that hackers exploited a vulnerability in MOVEit Transfer to access the protected health information of 8 to 11 million individuals.

Maximus is a contractor that manages and administers federal and local government-sponsored programmes, as well as student loan servicing.

The breach is believed to be the largest healthcare data breach of the year, as well as the most serious to result from the MOVEit mass-hackings.

Read more at DaijiiWorld

The relevant section of Maximus’ SEC filing of July 26 reads:

Item 8.01    Other Events

On May 31, 2023, Progress Software Corporation, the developer of MOVEit (“MOVEit”), a file transfer application used by many organizations to transfer data, announced a critical zero-day vulnerability in the application that allowed unauthorized third parties to access its customers’ MOVEit environments. It appears that a significant number of commercial and government customers worldwide were affected by this vulnerability. Maximus, Inc. (“Maximus” or the “Company”) uses MOVEit for internal and external file sharing purposes, including to share data with government customers pertaining to individuals who participate in various government programs. The Company believes that the personal information of a significant number of individuals was accessed by an unauthorized third party by exploiting this MOVEit vulnerability. The Company is cooperating with law enforcement regarding this cybersecurity incident.

Maximus promptly commenced an investigation of the incident with the assistance of outside legal, forensic and data analytics experts and has taken remedial steps to address the reported vulnerabilities. The Company’s forensic expert has completed the forensic aspects of the investigation, which has identified the files impacted by the cybersecurity incident. The Company’s review of these files is ongoing. At present, there is no indication that the incident has had any impact on the internal information technology systems of the Company or its customers beyond the MOVEit environment, and there has been no material interruption to the Company’s business operations due to the incident.

Based on the review of impacted files to date, the Company believes those files contain personal information, including social security numbers, protected health information and/or other personal information, of at least 8 to 11 million individuals to whom the Company anticipates providing notice of the incident. The Company has been notifying its customers as well as federal and state regulators, and it will provide appropriate notifications to individuals affected by this incident. In addition, individuals receiving notice will be offered free credit monitoring and identity restoration services.

Maximus currently plans to record an expense of approximately $15 million for the quarter ended June 30, 2023 representing the Company’s best estimate of the total investigation and remediation activities to be incurred related to the incident. The information provided in this Current Report on Form 8-K, including the estimated number of impacted individuals and estimated expenses, is preliminary and is based on currently available information and is subject to change during the course of the Company’s ongoing investigation of the cybersecurity incident. The Company’s review of impacted files is ongoing, and the Company is unable to predict the total number of impacted individuals who will receive notice of the incident until that review is completed, which we expect will not be for several more weeks. The Company is also unable to predict other potential liabilities or consequences that may arise from this incident. As the investigation progresses, additional information may become available that could cause the Company’s estimates and preliminary determinations to change.

Update:  When I couldn’t find Maximus listed on Clop’s leak site this morning, I tooted a question asking if anyone had spotted a listing. Thanks to @IntelSoup for showing me a screencap of the listing as it appeared on July 26. It appears to have been removed between yesterday and this morning. Whether its removal indicates negotiations or payments or just out for updating, is unknown at this point.

Related posts:

  • CMS Notifies Additional Individuals Potentially Impacted by MOVEit Data Breach
  • MAXIMUS notifies 3,029 patients after Business Ink mailing error exposes PHI
  • Centers for Medicare and Medicaid notifying 645,000 Medicare members about MOVEit breach (UPDATED)
  • Audits of New York schools and the State Education Department reveal ongoing significant concerns
Category: Health DataOf NoteSubcontractorU.S.

Post navigation

← Crooks pwned your servers? You’ve got four days to tell us, SEC tells public companies
ALPHV ransomware adds data leak API in new extortion strategy →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Alert: Scattered Spider has added North American airline and transportation organizations to their target list
  • Northern Light Health patients affected by security incident at Compumedics; 10 healthcare entities affected
  • Privacy commissioner reviewing reported Ontario Health atHome data breach
  • CMS warns Medicare providers of fraud scheme
  • Ex-student charged with wave of cyber attacks on Sydney uni
  • Detaining Hackers Before the Crime? Tamil Nadu’s Supreme Court Approves Preventive Custody for Cyber Offenders
  • Potential Cyberattack Scrambles Columbia University Computer Systems
  • 222,000 customer records allegedly from Manhattan Parking Group leaked
  • Breaches have consequences (sometimes) (1)
  • Kansas City Man Pleads Guilty for Hacking a Non-Profit

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina
  • European Commission publishes its plan to enable more effective law enforcement access to data
  • Sacred Secrets: The Biblical Case for Privacy and Data Protection
  • Microsoft’s Departing Privacy Chief Calls for Regulator Outreach
  • Nestle USA Settles Suit Over Job-Application Medical Questions

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.