Health data is among the most sensitive personal data—and millions of Americans had their data stolen because of a vulnerability in the MOVEit file transfer system. Reports on impacts of the breach have trickled in over several days, highlighting the fact that it often takes time for organizations to recognize that they have been breached.
Several million Americans have been affected by a data breach in the popular MOVEit file transfer software application used by many organizations to support file transfers. Hackers exploited a zero-day vulnerability that the software maker, Progress Software, was unaware of to access customers’ sensitive data. The Russian ransomware gang known as CL0p has claimed responsibility for the hack, and has published victims including banks, hospitals, energy companies, hotels, and other organizations.
In a breach originating at IBM, access was gained by the hackers to the Colorado Department of Health Care Policy and Financing (HCPF), to Missouri’s Department of Social Services (DSS), to Maximus Health Services (a vendor serving among others the Indiana Medicaid program), and to PH Tech (a vendor serving insurance companies). These are just some among the over 650 organizations victimized by the MOVEit breach. A total of more than 46 million individuals have been affected worldwide.
In each of these cases, the data breach was related to a vendor who was used to provide services to the health agency, highlighting the importance of organizations vetting their vendors’ cybersecurity and privacy standards, and vendors in turn monitoring notifications from software vendors of vulnerabilities, and making rapid responses to patching and mitigating vulnerabilities.
The health care data breach in Colorado affects more than 4 million patients, and the one in Indiana affects almost 750,000. The breach of PH Tech included health data on 1.7 million Oregon residents. It is uncertain how many Missourians have been affected, but more than 6 million live in the state.
Breached data includes:
- Patients’ full names, dates of birth, and home addresses
- Social Security numbers, Medicaid and Medicare ID numbers
- Income information
- Clinical and medical data (including lab results and medication)
- Health insurance information, eligibility information, and claims information
The impact of this breach is widespread, due to the reliance on MOVEIt by so many vendors to facilitate business-to-business file transfers. It highlights the risks associated with the supply chain – that a vulnerability anywhere down the supply chain can have devastating impact for organizations who may only be dimly aware of the use of software tools supporting the business relationship with a vendor.
What is an organization to do? The most important element is conducting appropriate reviews of vendors based to make sure the controls they have are proportionate to the risk associated with the data they are handling. This is to both prevent putting data into untrustworthy hands, but also to show due diligence when something goes wrong. Some controls are technical, but some are by necessity contractual or administrative, such as requiring patch management policies. And because things do go wrong, it is essential to address response to breaches, such as notifications in the event of breach, indemnification, and insurance.
Organizations need to classify and categorize their vendors based on the risk they may pose to the organization, especially those processing or holding sensitive PII. Learn some tips on how to evaluate your risk exposure from third-party service providers in Exterro’s Basics of Data Privacy.
Download the PDF version of this Data Privacy Alert here.