Hackers have accessed protected health information of “at least” 8 to 11m individuals in a report confirmed by US government services contractor Maximus, resulting in a potentially huge data breach.
Maximus is a Virginia-based technology company that helps streamline government services – such as Medicaid, Medicare and welfare-to-work – at a local, state and federal level.
This particular data breach is just one of many that has contributed to a new record of 1,393 data compromises, seen in the first half of 2023. This is in comparison to 2021’s total number of 1,862.
Social Security Numbers And Health Information Affected
In an 8-K filing earlier this week, Maximus confirmed that the personal information – which includes Social Security numbers and protected health information – of individuals had been accessed by hackers who were able to exploit a zero-day vulnerability within MOVEit Transfer.
MOVEit Transfer is a solution used by Maximus to share data with its government customers about the individuals who use its programs.
Maximus hasn’t yet confirmed what specific health data was accessed, but it has began to notify customers and federal and state regulators who have been impacted. The company has also estimated that the entire incident will cost around $15m to investigate and rectify.
The company expects a full report on the number of individuals impacted to take “several more weeks”. It has also stated that there could be up to 11m people impacted, which would make this the largest breach of healthcare data this year.
According to The Identity Theft Resource Center, the healthcare sector is the worst hit when it comes to data compromises, with 379 counted in the first half of this year alone.
Steps your company needs to take to stay cyber safe.
Maximus Just One Of Hundreds Hit By MOVEit Transfer Hacks
The outfit behind the recent breach is Clop, a Russia-linked data extortion group, who upload hacked information onto their dark web leak site. As well as recently attacking PwC and Ernst & Young, Clop has claimed to have also hacked Deloitte and Flutter, who own Fox Bets and Poker Stars, this week alone.
Clop claims to have stolen 169GB of data from Maximus but none of it has been published yet.
The hackers have also claimed Pensions Benefit Information, who provide pensions plan management services across a range of sectors, as another recent victim. The company confirmed the breach but hasn’t stated how many individuals have been affected.
However, four clients of the Pensions Benefit Information have stated that the data of more than 4.75m people was accessed.
This latest data breach by Clop contributes to more than 500 organizations who have been impacted by the mass MOVEit hacks, which have in turn affected more than 34.5m people.
