The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

State of Maine Says 1.3 Million Individuals Affected by MOVEit Hack

Posted By on Nov 10, 2023

The state of Maine has confirmed that it was affected by the mass hacking of a zero-day vulnerability in Progress Software’s MOVEit file transfer tool. The state learned of the vulnerability on May 31, 2023, when a patch was released by Progress Software to fix the flaw; however, the vulnerability had already been exploited by the Clop hacking group and files containing sensitive data were downloaded between May 28, 2023, and May 29, 2023.

The files contained the sensitive data of state residents, employees, and individuals who received services from state agencies. More than half of the employees affected worked at the state Department of Health and Human Services, and between 10% and 30% worked at the Department of Education. The breached information included names, dates of birth, driver’s license numbers, Social Security numbers, and health and medical information.

According to the notice filed with the Maine Attorney General, the data of 1,324,118 individuals was impacted, 534,194 of whom were Maine residents. Notification letters are now being issued and complimentary credit monitoring services have been offered to individuals who had their Social Security numbers exposed or stolen.

Greater Rochester Independent Practice Association Affected by MOVEit Hacks

Greater Rochester Independent Practice Association (GRIPA) in New York was also affected by the MOVEit hacks. GRIPA said it learned of the breach on May 31, 2023, when the patch was provided by Progress Software. Its forensic investigation confirmed on June 5, 2023, that files had been removed from its MOVEit server that included patients’ protected health information. A third-party vendor was engaged to review the files and the review was completed on September 1, 2023.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

GRIPA said medical records were not compromised and the impacted data was very limited in nature. Affected individuals are being told what information was affected in their individual notifications. The compromised information included information such as the name of their doctor, date of last visit, and prescription information. If Social Security numbers were compromised, affected individuals can sign up for complimentary credit monitoring services.

The breach was reported to the HHS’ Office for Civil Rights as affecting up to 279,156 individuals.

Tri-City Medical Center Diverts Ambulances Following Cyberattack

Tri-City Medical Center in Oceanside, CA, is currently dealing with a cyberattack that has forced it to take certain systems offline. On November 9, 2023, the hospital was diverting ambulances to other hospitals as a precaution, although the medical center said it is prepared to manage emergency cases that may arrive in private vehicles and that it is working with other healthcare providers in the community to ensure that healthcare services are provided.

A forensic investigation has been launched to determine the nature and scope of the incident and whether sensitive data was stolen. Further information will be released in the coming days and weeks as the investigation progresses.

Optum Medical Group’s Crystal Run Healthcare Investigating Potential Cyberattack

Crystal Run Healthcare in Middletown, NY, which has been acquired by Optum Medical Group, says it is experiencing system issues that are impacting some of its services, resulting in longer than usual wait times. The disruption started on or around November 3, 2023, and as of November 10, 2023, the healthcare provider had still not recovered. The cause of the outage was not stated in the notification, but it is fair to assume that it was a cyberattack.

Butler County Confirms October Cyberattack

Butler County in Pennsylvania has confirmed that it has experienced a data security incident. The attack was detected in early October, and by the end of the month, it had been confirmed that the individual responsible had gained access to personally identifiable information, mostly relating to criminal court proceedings. The review of the affected data is ongoing and, at this stage of the investigation, the county has not yet confirmed exactly what data was stolen and how many individuals were affected.

Notification letters will be mailed to the affected individuals when the review has been completed and county officials said credit monitoring services will be offered. This is the second security breach to affect the county in as many months. In September, a jail employee’s account was accessed and personally identifiable information was compromised.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist