MOVEit Transfer Cyberattack Impacts 1.2M at Pension Benefit Information

July 18, 2023 - More than 1.2 million individuals were impacted by a data breach at Pension Benefit Information (PBI) stemming from the widespread cyberattacks waged against Progress Software’s MOVEit Transfer software. The incident now ranks as one of the top ten biggest breaches reported to HHS so far in 2023.

PBI is a research service that provides various pension plan management services, including death audit, participant location, and uncashed check services. The company’s clients consist of large pension plans, insurance companies, financial institutions, and third-party administrators, its website states.

As previously reported, hundreds of organizations were impacted by a critical cybersecurity vulnerability that allowed unauthorized actors to gain access to MOVEit databases. Clop ransomware took interest in this vulnerability and claimed responsibility for many attacks.

“Among many other entities including the federal government, state governments, universities, healthcare organizations, and corporations around the world, PBI Research Services was also impacted by the recent MOVEit cyberattack in late May,” PBI explained.

“PBI Research Services uses Progress Software’s MOVEit file transfer application with some of our clients. At the end of May, Progress Software identified a cyberattack in their MOVEit software that did impact a small percentage of our clients who use the MOVEit administrative portal software resulting in access to private records. This incident did not gain access to PBI’s core systems or software.”

Outside of the isolated MOVEit Transfer server, PBI’s systems were not impacted by the breach. PBI assured clients that it would provide other data transfer options if clients felt hesitant about using MOVEit software.

In its notice to individuals, PBI said it was “unable to confirm whether your personal information was impacted,” but encouraged potentially impacted individuals to take steps to protect their personal information. The public notice did not identify the specific data elements that may have been breached.

Phoenician Medical Center Suffers Breach

Phoenician Medical Center (PMC), an integrated care network that serves the Phoenix Valley region of Arizona, disclosed a breach to HHS that impacted 162,500 individuals.

PMC and its affiliated companies, Phoenix Neurological & Pain Institute and Laser Surgery Center, learned of a data security incident on March 31, 2023 that disrupted its IT system operations. After containing the incident, PMC determined that an unauthorized party had accessed or acquired certain files on its systems.

The impacted information affected patients treated between 2016 and 2023 and consisted of names, contact information, demographic information, treatment and prescription information, medical record numbers, provider names, dates of services, and health insurance information.

PMC encouraged impacted individuals to review statements for any services they did not receive and remain vigilant against instances of fraud.