Health Plan Services Firm Says MOVEit Breach Affects 805,000NASCO Is Among Growing List of Health Sector Vendors Hit By MOVEit Hacks
A Georgia-based firm that provides administrative services for health plans has joined other firms in reporting a major health data hack involving their use of Progress Software's MOVEit file transfer software.
In a report filed Friday to Maine's attorney general, NASCO said nearly 805,000 individuals were affected - including 2,840 Maine residents - by a hack involving MOVEit about six months ago - over Memorial Day weekend.
In its filing, NASCO said that on May 30 the company experienced a data security incident in which a threat actor acquired data from NASCO's MOVEit software.
"When NASCO learned of this incident on July 12, it promptly took steps to secure its systems, launched an investigation with the support of a leading cybersecurity firm and notified law enforcement authorities," the company said in its sample breach notice. Unfortunately, some personal information of health plan members was compromised in the incident, the company said.
That information includes individuals' names, Social Security numbers and other identifiers, NASCO said.
NASCO said its MOVEit server affected by the attack was decommissioned and is no longer accessible from the internet, and the company is no longer using MOVEit.
"Forensic evidence showed no threat actor activity outside of the MOVEit vulnerability exploitation. NASCO continues to work with law enforcement on this issue," the company said.
To help prevent similar incidents in the future, NASCO said it has implemented additional procedures to strengthen the security of its IT system environments. The company is also offering individuals 24 months of complimentary identity and credit monitoring.
Tally Keeps Growing
NASCO joins a massive and growing tally of companies affected by MOVEit hacks, including other third-party vendors that provide administrative and related services to healthcare sector organizations.
As of Tuesday, NASCO's MOVEit incident was not yet posted on the U.S. Department of Health and Human Services' Office for Civil Rights' HIPAA Breach Reporting Tool website listing health data breaches affecting 500 or more individuals.
But among some of the other large MOVEit incidents added to the HHS HIPAA breach website in recent weeks was a hack affecting nearly 136,000 individuals reported by Radius Global Solutions, a Pennsylvania-based vendor that provides revenue cycle management services to healthcare entities as well as clients in other sectors.
Information potentially compromised in the Radius hack includes individuals' names, birthdates, Social Security numbers, medical treatment codes, treatment locations and treatment payment history, including health insurance provider.
Florida-based Arietis Health, another revenue cycle management services provider to the healthcare sector, recently told regulators it had experienced a MOVEit hack that affected 55 medical providers and nearly 2 million individuals (see: Breach Roundup: Citrix Patch Not Sufficient).
So far in the U.S., the largest of those healthcare sector breaches was reported by the Colorado Department of Health Care Policy and Financing, which earlier this month provided the state of Maine's attorney general with an updated breach report saying its MOVEit hack has affected nearly 4.2 million people - up from a count of nearly 4.1 million reported in August (see: Data Theft Via MOVEit: 4.5 Million More Individuals Affected).
As of Monday, security firm Emsisoft counted 2,561 organizations and nearly 67.2 million individuals affected by MOVEit breaches worldwide. This is based on public data breach notifications and victims listed by Clop on its data leak site, Emsisoft reported.
The largest so far of all those MOVEit hacks - affecting 11 million individuals - was reported by U.S. government contractor Maximus, Emsisoft said. The protected health information of nearly 2.8 million people was among the data compromised in Maximus' hack, according to the company's breach report filled to HHS on Aug. 4.
Burlington, Massachusetts-based Progress Software issued its first security alert about the MOVEit flaw, designated CVE-2023-34362, on May 31. Progress urged all customers to immediately take their software offline until they could upgrade it to a patched version that fixed the flaw.
The Russian-speaking cybercriminal group Clop exploited the MOVEit zero-day flaw before the patch, stealing large amounts of data in a rapid, high-impact campaign. The group has since been attempting to extort victims and has been posting the names and stolen data of nonpaying victims in its data leak site (see: Victims Sue Financial Firms Over MOVEit Data Breaches).