Up to 11 Million Health Records Compromised in Cyberattack on Government Contractor
Reston, VA-based Maximus Inc., a government services contracting company, has announced in a Securities and Exchange Commission (SEC) filing that hackers exploited a zero-day vulnerability in Progress Software’s MOVEit Transfer solution in May 2023 and accessed the protected health information (PHI) of between 8 and 11 million individuals. The Clop ransomware group was responsible for the attack and Maximus was one of hundreds of entities to be affected by the Clop group’s mass exploitation of the zero-day vulnerability.
According to the filing, Maximus used MOVEit Transfer for internal and external file sharing, including for sharing data with government customers who participate in various government programs. After being notified about the vulnerability and data breach by Progress Software, Maximus launched a forensic investigation and review of the affected files and while that process is still ongoing, Maximus confirmed that the impacted files contained protected health information. Maximus said it cannot confirm precisely how many individuals have been affected until the review process is completed, and that it anticipates that the process will take several more weeks.
Maximus has notified the affected customers and will provide notice to all affected individuals when the review concludes. Affected individuals will be offered complimentary credit monitoring and identity theft protection services for 24 months. Maximus has recorded expenses of $15 million for the quarter to June 30, 2023, in relation to the data breach.
The Department of Health and Human Services’ Centers for Medicare and Medicaid Services (CMS) initially reported the breach as affecting 612,000 current Medicare recipients and up to 645,000 individuals in total, but later amended the total to 2,342,357 individuals. The CMS said it is working with Maximus to provide notice to the affected individuals. The CMS said the stolen data includes names, dates of birth, mailing addresses, telephone numbers, email addresses, Social Security numbers/taxpayer identification numbers, Medicare beneficiary numbers, driver’s license numbers, state identification numbers, health insurance information, claims information, health benefits and enrollment information, and medical histories, which include notes, medical records/account numbers, conditions, diagnoses, images, treatment information, and dates of service.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Maximus reported the breach to the HHS’ Office for Civil Rights as affecting 2,781,617 individuals, with several Maximus clients opting to report the breach themselves.