Massachusetts health officials have announced that the personal information of over 134,000 residents has been compromised in a major hacking incident that has rippled across the globe.
“More than 134,000 Massachusetts residents who are currently enrolled in certain state programs and services (or were enrolled in the last few years) had their personal information involved in a recent global third-party data security incident,” the Massachusetts Executive Office of Health and Human Services (EOHHS) said in a statement.
The large data security breach involved a file-transfer software program called MOVEit, which was used by the UMass Chan Medical School as part of some services it provides to EOHHS agencies and programs.
“No UMass Chan or state systems were compromised in this incident,” EOHHS said in the statement.
MOVEit is used by organizations to ship large amounts of often sensitive data, including pension information, Social Security numbers, medical records, and billing details.
The software was first found to have been compromised at the end of May, with an analysis by cybersecurity firm Emsisoft indicating that 668 organizations and over 46 million people have been impacted by the breach.
While the exposed data varies by person, EOHHS said that in Massachusetts, it included the person’s name and at least one other item of information, including mailing address, Social Security number, financial account information, and protected health information like diagnosis details.
“Impacted individuals are encouraged to remain vigilant by reviewing their financial account statements,” EOHHS said. “If you see charges or activity that you did not authorize, contact your bank or financial institution immediately.”
UMass Chan Medical School began sending out notification letters to affected individuals starting on Aug. 14, containing details of what data was impacted and what people can do to protect their information. It’s also offering free credit monitoring and identity theft protection services to people whose Social Security numbers or financial information were involved in the incident.
Primarily affected by the breach were participants in the following programs: State Supplement Program (SSP) participants (including recipients, other members of the household and authorized representatives), MassHealth Premium Assistance members, MassHealth Community Case Management participants, as well as Executive Office of Elder Affairs (EOEA) and Aging Services Access Points (ASAP) home care program consumers.
MOVEit Breach
MOVEit is a file transfer software program licensed by a Massachusetts-based company called Progress Software.The company first identified a critical vulnerability in MOVEit Transfer in May, announcing that a SQL injection vulnerability had been discovered in MOVEit Transfer’s web application tool that could allow an “unauthenticated attacker” to gain access to its database and steal, alter, or delete parts of the database.
All MOVEit Transfer versions were affected by the vulnerability, although other products like MOVEit Automation or MOVEit Client were not susceptible to the vulnerability. The company posted a series of remedies, including patches for the various MOVEit Transfer versions.
The earliest exploit of MOVEit Transfer took place on May 27, 2023, according to cybersecurity firm Mandiant.
“The earliest evidence of exploitation occurred on May 27, 2023 resulting in deployment of web shells and data theft,” the company said in an announcement. “In some instances, data theft has occurred within minutes of the deployment of web shells.”
“The seemingly opportunistic nature of this campaign and the subsequent data theft is consistent with activity we’ve seen from extortion actors; however, victims did not initially receive any ransom demands,” Mandiant added.
However, on June 6, a hacking group named “clOp” claimed responsibility and began making ransom demands.
The most common targets, according to Emsisoft, have been U.S.-based organizations, accountin for 77.9 percent of known victims.
“The most heavily impacted sectors are finance and professional services and education, which account for 24.1 percent and 24.8 percent of incidents respectively,” the cybersecurity group said in a statement.
Emsisoft estimated that the cost of the breach could be as high as $37 billion.
Eric Goldstein, the executive assistant director for cybersecurity at the U.S. Cybersecurity and Infrastructure Security Agency (CISA), said in a statement that several federal agencies had been compromised.
CISA did not identify the affected agencies or specify how they were affected.
Some cybersecurity experts have said that more incidents relating to the MOVEit exploit are likely in the future.
Nathan Little, whose firm Tetra Defense has responded to dozens of MOVEit related incidents, told Reuters that the breach likely affected thousands of companies but the true tally may forever remain a mystery.
“We may never know the exact detailed number,” he told the outlet.
