DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Health data of more than 8 million people accessed by MOVEit hackers: US govt contractor

Posted on July 28, 2023 by Dissent

In what may be the largest health data breach reported so far in 2023, a government contractor affected by the MOVEit breach disclosed the breach in an SEC filing.  ANS reports:

Maximus, a US government services contracting company, has confirmed that hackers exploited a vulnerability in MOVEit Transfer to access the protected health information of 8 to 11 million individuals.

Maximus is a contractor that manages and administers federal and local government-sponsored programmes, as well as student loan servicing.

The breach is believed to be the largest healthcare data breach of the year, as well as the most serious to result from the MOVEit mass-hackings.

Read more at DaijiiWorld

The relevant section of Maximus’ SEC filing of July 26 reads:

Item 8.01    Other Events

On May 31, 2023, Progress Software Corporation, the developer of MOVEit (“MOVEit”), a file transfer application used by many organizations to transfer data, announced a critical zero-day vulnerability in the application that allowed unauthorized third parties to access its customers’ MOVEit environments. It appears that a significant number of commercial and government customers worldwide were affected by this vulnerability. Maximus, Inc. (“Maximus” or the “Company”) uses MOVEit for internal and external file sharing purposes, including to share data with government customers pertaining to individuals who participate in various government programs. The Company believes that the personal information of a significant number of individuals was accessed by an unauthorized third party by exploiting this MOVEit vulnerability. The Company is cooperating with law enforcement regarding this cybersecurity incident.

Maximus promptly commenced an investigation of the incident with the assistance of outside legal, forensic and data analytics experts and has taken remedial steps to address the reported vulnerabilities. The Company’s forensic expert has completed the forensic aspects of the investigation, which has identified the files impacted by the cybersecurity incident. The Company’s review of these files is ongoing. At present, there is no indication that the incident has had any impact on the internal information technology systems of the Company or its customers beyond the MOVEit environment, and there has been no material interruption to the Company’s business operations due to the incident.

Based on the review of impacted files to date, the Company believes those files contain personal information, including social security numbers, protected health information and/or other personal information, of at least 8 to 11 million individuals to whom the Company anticipates providing notice of the incident. The Company has been notifying its customers as well as federal and state regulators, and it will provide appropriate notifications to individuals affected by this incident. In addition, individuals receiving notice will be offered free credit monitoring and identity restoration services.

Maximus currently plans to record an expense of approximately $15 million for the quarter ended June 30, 2023 representing the Company’s best estimate of the total investigation and remediation activities to be incurred related to the incident. The information provided in this Current Report on Form 8-K, including the estimated number of impacted individuals and estimated expenses, is preliminary and is based on currently available information and is subject to change during the course of the Company’s ongoing investigation of the cybersecurity incident. The Company’s review of impacted files is ongoing, and the Company is unable to predict the total number of impacted individuals who will receive notice of the incident until that review is completed, which we expect will not be for several more weeks. The Company is also unable to predict other potential liabilities or consequences that may arise from this incident. As the investigation progresses, additional information may become available that could cause the Company’s estimates and preliminary determinations to change.

Update:  When I couldn’t find Maximus listed on Clop’s leak site this morning, I tooted a question asking if anyone had spotted a listing. Thanks to @IntelSoup for showing me a screencap of the listing as it appeared on July 26. It appears to have been removed between yesterday and this morning. Whether its removal indicates negotiations or payments or just out for updating, is unknown at this point.

Category: Health DataOf NoteSubcontractorU.S.

Post navigation

← Crooks pwned your servers? You’ve got four days to tell us, SEC tells public companies
ALPHV ransomware adds data leak API in new extortion strategy →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Nigerian National Sentenced To More Than Five Years For Hacking, Fraud, And Identity Theft Scheme
  • Data breach of patient info ends in firing of Miami hospital employee
  • Texas DOT investigates breach of crash report records, sends notification letters
  • PowerSchool hacker pleads guilty, released on personal recognizance bond
  • Rewards for Justice offers $10M reward for info on RedLine developer or RedLine’s use by foreign governments
  • New evidence links long-running hacking group to Indian government
  • Zaporizhzhia Cyber ​​Police Exposes Hacker Who Caused Millions in Losses to Victims by Mining Cryptocurrency
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Google: Hackers target Salesforce accounts in data extortion attacks
  • The US Grid Attack Looming on the Horizon

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • California county accused of using drones to spy on residents
  • How the FBI Sought a Warrant to Search Instagram of Columbia Student Protesters
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Malaysia enacts data sharing rules for public sector
  • U.S. Enacts Take It Down Act
  • 23andMe Bankruptcy Judge Ponders Trump Bill’s Injunction Impact
  • Hell No: The ODNI Wants to Make it Easier for the Government to Buy Your Data Without Warrant

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.