State officials are warning more than 134,000 Massachusetts residents that their personal information was part of a third-party data breach affecting millions around the world.
Who was affected?
Individuals who are currently or previously enrolled in certain state healthcare programs at UMass Chan Medical School in Worcester could be at risk of a data security incident involving file transfer software called ” move itsaid the Executive Office of Health and Human Services a press release Tuesday.
The violation affects individuals who were or are enrolled in the State Supplement Program (including recipients, other household members, and authorized representatives), MassHealth Premium Assistance, MassHealth Community Case Management, or the Executive Office of Elder Affairs and Aging Services Access Points home care programs, it says in the press release.
According to the bureau, neither the data security systems of UMass Chan Medical School nor the state were affected by the breach. The Bureau of Health and Human Services is notifying people whose information may have been leaked by mail, and also where possible by phone, text message and email, the release said.
What information was leaked?
While the information associated with the violation varied, it included names and one or more of the following:
- birth date
- postal addresses
- Protected health information, such as diagnosis and treatment information, prescription information, provider names, benefit dates, claims information, health plan member ID numbers, and other health plan-related information
- social security number
- Financial Account Information
The state’s letter aims to explain what data may have been leaked, how the state responded to the breach, and how those affected can protect their personal information, the press release said.
“Any person who receives a notification is urged to take steps to protect their information, including monitoring their bank statements and opting in for free credit monitoring and identity theft protection offered to those who share certain sensitive information is acting,” the bureau wrote in the press release.
UMass Chan is offering free credit monitoring and identity theft protection services to those whose social security numbers and/or financial information were part of the breach, the release said.
How the breach happened
MOVEIt, operated by tech giant IBM, was hacked earlier this summer by a Russian-linked ransomware group called Clop. according to TechCrunch. The group found a previously unknown vulnerability in the software and has been publicly listing the alleged victims since June 14.
The victim list includes nearly 700 organizations including banks, hospitals, hotels, energy giants and government health departments across the country. Clop said it would reveal the “secrets and dates” of all MOVEit victims who refused to negotiate on Aug. 15, TechCrunch reported.
MOVEit is owned by software company Burlington, Massachusetts progress software.
UMass Chan learned about the MOVEit vulnerability on June 1st. The medical school immediately patched the vulnerability, contacted law enforcement, launched an investigation, and worked to determine what information was compromised, the release said.
UMass Chan was eventually able to determine which files may have been affected by the data breach. The medical school found that some of those files contained information about people enrolled in state programs as of July 27, the release said.
For more information visit mass.gov/MOVEitIncident or call 855-862-7769.
Subscribe to Newsletter
Stay up to date with the latest news from Boston.com