MOVEit Breach Notifications Continue to Roll In, Impacting Health Data

August 17, 2023 - Entities across the country are still feeling the effects of the MOVEit Transfer hack as more organizations report breaches stemming from the vulnerability.

Earlier this week, the Colorado Department of Health Care Policy & Financing (HCPF), which operates Colorado’s Medicaid program, notified more than 4 million individuals of a breach that originated at IBM, which had used the MOVEit software on behalf of HCPF. IBM also notified the Missouri Department of Social Services of the same incident.

MOVEit disclosed the vulnerability on May 31 and issued a patch on the same day. 

As these notifications continue to roll in, 2023 is shaping up to be another year of large-scale data breaches. The latest roundup of breaches shows a sampling of MOVEit disclosures along with other healthcare data breaches that impacted hundreds of thousands of individuals.

600K Impacted by MOVEit Hack at Radius Global Solutions

Radius Global Solutions, a debt collection agency, disclosed a healthcare data breach that impacted 600,794 individuals. The breach stemmed from a large-scale hack on Progress Software’s MOVEit Transfer software, which has impacted numerous organizations around the world.

On June 1, Radius learned that threat actors had been targeting a vulnerability in the MOVEit Transfer application. Radius launched an investigation immediately and determined that some documents within its MOVEit database were improperly accessed.

The impacted information included names, dates of birth, Social Security numbers, patient treatment codes and locations, and treatment payment history.

“Upon learning of the MOVEit vulnerability, we immediately investigated to determine any risk to information in the database,” the breach notice stated.

“We promptly reviewed the identified documents so we could notify relevant individuals. We continue to implement necessary patching and measures to secure the MOVEit database as we learn new information.”

134K Massachusetts Residents Impacted by MOVEit Breach

The University of Massachusetts Chan Medical School and the Commonwealth of Massachusetts notified more than 134,000 Massachusetts residents of a breach stemming from the MOVEit hack.

UMass Chan provides services to the Executive Office of Health and Human Services (EOHHS) and used MOVEit to transfer files. State Supplement Program (SSP) participants, MassHealth Premium Assistance members, MassHealth Community Case Management participants, and Executive Office of Elder Affairs (EOEA) and Aging Services Access Points (ASAP) home care program consumers were impacted by the incident.

“If you do not participate in one of those programs, it is unlikely your data was exposed,” the breach notice stated.

The Commonwealth of Massachusetts stated that residents that were impacted would receive a letter that explains what data was involved in the incident and what steps to take to protect their information.

VNS Health Plans Impacted by MOVEit

VNS Health Plans suffered a third-party data breach that originated at one of its vendors, TMG Health, which suffered from the MOVEit hack. The breach impacted 103,775 VNS beneficiaries.

TMG provides claim processing to VNS, which gives them access to protected health information pertaining to members. TMG learned that it had been impacted by a vulnerable instance of the MOVEit Transfer software on May 31, 2023.

TMG later confirmed that VNS files were impacted, including member names, contact information, Social Security numbers, Medicare or Medicaid numbers, billing information, provider names, and dates of service.

“VNS is committed to maintaining the privacy and security of your information and is taking this incident very seriously,” VNS stated. “VNS is ensuring that its impacted vendor, TMG, is taking all appropriate steps to address this incident, including updating its systems to prevent intrusions of this nature from occurring in the future.”

Tift Regional Health System Notifies Patients of Year-Old Breach

Georgia-based Tift Regional Health System recently notified 180,142 individuals of a healthcare data breach that occurred in August 2022. Upon discovery, Tift disabled the network and restored access without disruption.

Further investigation determined that an unauthorized party may have accessed or copied files between August 11 and August 17, 2022. The information included in the incident consisted of names, birth dates, Social Security numbers, and medical information.

Tift said it has since implemented additional safeguards and training for employees.

It is unclear why Tift waited until August 2023 to notify impacted individuals of the data breach.

Indiana Behavioral Health Provider Hit With Breach

Indiana-based Cummins Behavioral Health Systems informed more than 157,000 individuals of a healthcare data breach. In March 2023, Cummins discovered a ransom note within its digital environment.

“During a typical ransomware incident, cybercriminals try to encrypt or ‘lock’ an organization’s digital files in an attempt to get paid for a digital key to unlock the files. Significantly, no encryption occurred as a result of the incident,” Cummins informed patients.

The behavioral health system engaged a cybersecurity firm and determined that the incident took place between February 2 and March 9, 2023.

Information impacted by the breach included names, addresses, Social Security numbers, passport information, health insurance and medical information, financial account information, driver’s license numbers, usernames and passwords, and biometric information.

“Cummins Behavioral Health Systems, Inc. understands the inconvenience or concern that this matter may cause and remains dedicated to ensuring the privacy and security of information within its control,” the health system stated.