MOVEit Hackers Accessed Health Data of 'At Least' 8 Million Individuals

An anonymous reader quotes a report from TechCrunch: U.S. government services contracting giant Maximus has confirmed that hackers exploiting a vulnerability in MOVEit Transfer accessed the protected health information of as many as 11 million individuals. Virginia-based Maximus contracts with federal, state and local governments to manage and administer government-sponsored programs, such as Medicaid, Medicare, healthcare reform and welfare-to-work. In an 8-K filing on Wednesday, Maximus confirmed that the personal information of a "significant number" of individuals was accessed by hackers exploiting a zero-day vulnerability in MOVEit Transfer, which the organization uses to "share data with government customers pertaining to individuals who participate in various government programs."

While Maximus hasn't yet been able to confirm the exact number of individuals impacted -- something the company expects to take "several more weeks" -- the organization said it believes hackers accessed the personal data, including Social Security numbers and protected health information, of "at least" 8 to 11 million individuals. If the latter, this would make the breach the largest breach of healthcare data this year -- and the most significant data breach reported as a result of the MOVEit mass-hacks. Maximus has not confirmed which specific types of health data were accessed and has not responded to TechCrunch's questions. In its 8-K filing, the company said it began notifying impacted customers and federal and state regulators, adding that it expects the security incident to cost approximately $15 million to investigate and remediate. Clop, the Russia-linked data extortion group responsible for the MOVEit mass-hacks, claims to have stolen 169 gigabytes of data from Maximus, which it has not yet published. The report notes that "more than 500 organizations have so far been impacted by the MOVEit mass-hacks, exposing the personal information of more than 34.5 million people."

Not costly enough

[guruevi]

$15M for 10M records is less than $1.50/person. Surely not costly enough to warrant any changes. A glorified cronjob + FTP software that’s hanging its administrative interface on the web accessible to the world, not even a WAF, with simple cookie and SQL injection pathways and oh yes, the primary cause being the IRS and Medi* programs mandates its use and as a result every major bank and health institution uses it to shuffle our information back and forth.

First problem: Government should not collect a

Re:

[Canberra1]

Fourth Problem. Mandated software should be critically reviewed each year - but it was not. Vendors cannot be trusted alone. THis is not the only problem/software - there are others. Continuous Partial attention WILL see more disasters in the future. Fifth problem. Full disclosure. Not only of the CVE's but everything else, and the budget spent on 'maintenance'.

Re:

[herberttlbd]

I'd be willing to bet this company has every healthcare security cert under the sun and goes through some kind of audit annually. Security professionals and accounting firms that know what to look for and where to look don't stay in business too long because they cause too many problems.

Re:

[guruevi]

They were audited from what I understand. Hefty money transfers to Gartner, E&Y and PWC to “audit” the software.

Re:

[Canberra1]

Professional Negligence. Bring on class action lawsuits. Then try to understand what the reports scope was about, or if there was a footnote, errr qualification like 'all care, no responsibility'. The people who signed off on that report, should also be exited out from holding any position.

Re:

[guruevi]

Those audit companies don't employ real hackers or coders, they are just there to rubberstamp your process. I just wanted to point out third party audits are pointless, you can always find someone to just pay and go away.

Re:

[Canberra1]

Well, the Cyber Insurance companies should just triple their premiums and say 'Well that accounting firm audit' is worthless, because they were not competent in the past. The premium for a soft non-techncal audit with barn door qualifications is 10X, and one from respectable firm 2x if they also to latest pen tests as well. No more insurance.

Re:

[herberttlbd]

I've worked with Medi* at the federal level and they don't mandate software. They've got requirements for security during transfer/storage and there is open source software that meets it.

And as far as I can tell, MOVEit is essentially a cloud-based front-end for scheduling encryption and transfer that is very likely using open-source on the backend.

Re:

[guruevi]

It’s using OpenSSH on Windows, the entire backend is written in ASP and .NET and runs on Windows Server.

Nuf said.

Zero Day Exploit = My dog ate my homework

[gavron]

If you're wondering what Zero-Day Exploit means, it means the company isn't responsible because the exploit used to steal your most private medical or personal information wasn't previously stolen USING THAT EXACT SAME METHOD. To use an analogy, if your friend borrows your car and someone steals it, if he says it's a ZDE and he didn't know the black-hats were going to go after that car he's free of any responsibility and you're without a car. If it's data, that data will be used against you for the next 2

Says it all!

[oldgraybeard]

U.S. government services contracting giant Maximus

Maximus has a terrible history on many fronts

[Anonymous Coward]

"Maximus provides administration and other services for Medicaid, Medicare, health care reform, welfare-to-work, and student loan servicing among other government programs." ... Scroll down to the Wikipedia section entitled "Criticism" and stand back: https://en.wikipedia.org/wiki/... [wikipedia.org].