INDIANAPOLIS – A massive security breach of Indiana’s Medicaid system has put more than 744,000 Hoosiers at risk.
Personal information like names, addresses, Medicaid numbers and in some cases social security numbers have been involved in this breach.
Aaron Pritz, the CEO of Reveal Risk in Carmel says a ransomware gang with Russian ties called “CL0p” has been behind numerous major breaches.
Pritz says “CL0p” targeted MOVEit which is the third-party file transfer system Indiana Medicaid uses through Maximus Health Services.
“Their game is to attack companies, steal data or assets, computers, ransomware those devices and then ask for money to retrieve that,” said Pritz. “And it’s getting a little more escalated as companies decide not to pay. Their second tactic is to release the data they stole to the internet.”
In an announcement released Friday, FSSA reported that software used by a third-party contractor experienced a breach that exposed personal information like names, addresses, case numbers and Medicaid numbers. The incident occurred via the MOVEit application that Maximus Health Services uses.
Maximus alerted FSSA about the breach. Four Medicaid members’ social security numbers were impacted during the event.
The MOVEit breach hit companies worldwide in late May, per FSSA. The 744,052 individuals from Indiana affected by the incident are members of Medicaid who had received a communication from Maximus regarding the selection of a “managed care entity.”
In a separate press release, Maximus reported that it took MOVEit offline on May 31. It then applied vendor-recommended actions and patches to address the vulnerability within MOVEit. Maximus also engaged forensic investigation and data analysis firms to identify affected individuals and types of information involved.
The company noted it eventually learned that, from May 27-31, an unauthorized party obtained copies of certain files that were saved in the Maximus MOVEit application.
MOVEit has more than 668 companies impacted by the breach with more than 46 million people impacted worldwide.
“The good news is they’ve stolen so much information that it may be tough to publish it all, but that doesn’t give me any comfort really,” said Pritz.
As far as what Hoosiers can do to protect themselves, Pritz says to take advantage of free credit monitoring and credit freezing as soon as possible.
“It’s important to not overreact and not freak out. Do what’s right to protect yourself. Learn a little bit. If nothing else learn about cyber security,” said Pritz.
Pritz says the SEC just created a new rule that companies involved in a data breach have four days to make it public they have been impacted.
The rule is in effect now and Prtiz says compliance checks on the rule will start in December.
A full statement from Maximus can be found below:
Data privacy and security are among our top priorities, and we are committed to protecting the data entrusted to us.
On May 31, Progress Software Corporation announced a critical security vulnerability in MOVEit, their managed file transfer software, which is used by many companies, including Maximus. We quickly took measures to respond to the situation and are thoroughly investigating the issue.
To be clear, we have not identified any impact from the MOVEit vulnerability on other parts of our corporate network and remain confident in the integrity of the network.
We have been working with the subset of our customers who were using MOVEit as part of their workflows and continue to provide updates and support to them as our investigation proceeds. We continue to closely monitor our systems for any unusual activity.