In what may be the largest health data breach reported so far in 2023, a government contractor affected by the MOVEit breach disclosed the breach in an SEC filing. ANS reports:
Maximus, a US government services contracting company, has confirmed that hackers exploited a vulnerability in MOVEit Transfer to access the protected health information of 8 to 11 million individuals.
Maximus is a contractor that manages and administers federal and local government-sponsored programmes, as well as student loan servicing.
The breach is believed to be the largest healthcare data breach of the year, as well as the most serious to result from the MOVEit mass-hackings.
Read more at DaijiiWorld
The relevant section of Maximus’ SEC filing of July 26 reads:
Item 8.01 Other Events
On May 31, 2023, Progress Software Corporation, the developer of MOVEit (“MOVEit”), a file transfer application used by many organizations to transfer data, announced a critical zero-day vulnerability in the application that allowed unauthorized third parties to access its customers’ MOVEit environments. It appears that a significant number of commercial and government customers worldwide were affected by this vulnerability. Maximus, Inc. (“Maximus” or the “Company”) uses MOVEit for internal and external file sharing purposes, including to share data with government customers pertaining to individuals who participate in various government programs. The Company believes that the personal information of a significant number of individuals was accessed by an unauthorized third party by exploiting this MOVEit vulnerability. The Company is cooperating with law enforcement regarding this cybersecurity incident.
Maximus promptly commenced an investigation of the incident with the assistance of outside legal, forensic and data analytics experts and has taken remedial steps to address the reported vulnerabilities. The Company’s forensic expert has completed the forensic aspects of the investigation, which has identified the files impacted by the cybersecurity incident. The Company’s review of these files is ongoing. At present, there is no indication that the incident has had any impact on the internal information technology systems of the Company or its customers beyond the MOVEit environment, and there has been no material interruption to the Company’s business operations due to the incident.
Based on the review of impacted files to date, the Company believes those files contain personal information, including social security numbers, protected health information and/or other personal information, of at least 8 to 11 million individuals to whom the Company anticipates providing notice of the incident. The Company has been notifying its customers as well as federal and state regulators, and it will provide appropriate notifications to individuals affected by this incident. In addition, individuals receiving notice will be offered free credit monitoring and identity restoration services.
Maximus currently plans to record an expense of approximately $15 million for the quarter ended June 30, 2023 representing the Company’s best estimate of the total investigation and remediation activities to be incurred related to the incident. The information provided in this Current Report on Form 8-K, including the estimated number of impacted individuals and estimated expenses, is preliminary and is based on currently available information and is subject to change during the course of the Company’s ongoing investigation of the cybersecurity incident. The Company’s review of impacted files is ongoing, and the Company is unable to predict the total number of impacted individuals who will receive notice of the incident until that review is completed, which we expect will not be for several more weeks. The Company is also unable to predict other potential liabilities or consequences that may arise from this incident. As the investigation progresses, additional information may become available that could cause the Company’s estimates and preliminary determinations to change.
Update: When I couldn’t find Maximus listed on Clop’s leak site this morning, I tooted a question asking if anyone had spotted a listing. Thanks to @IntelSoup for showing me a screencap of the listing as it appeared on July 26. It appears to have been removed between yesterday and this morning. Whether its removal indicates negotiations or payments or just out for updating, is unknown at this point.