Millions of Americans' Health Data Stolen After MOVEit Hackers Targeted IBM (techcrunch.com) 24
An anonymous reader quotes a report from TechCrunch: Millions of Americans had their sensitive medical and health information stolen after hackers exploiting a zero-day vulnerability in the widely used MOVEit file transfer software raided systems operated by tech giant IBM. Colorado's Department of Health Care Policy and Financing (HCPF), which is responsible for administering Colorado's Medicaid program, confirmed on Friday that it had fallen victim to the MOVEit mass-hacks, exposing the data of more than four million patients.
In a data breach notification (PDF) to those affected, Colorado's HCPF said that the data was compromised because IBM, one of the state's vendors, "uses the MOVEit application to move HCPF data files in the normal course of business." The letter states that while no HCPF or Colorado state government systems were affected by this issue, "certain HCPF files on the MOVEit application used by IBM were accessed by the unauthorized actor." These files include patients' full names, dates of birth, home addresses, Social Security numbers, Medicaid and Medicare ID numbers, income information, clinical and medical data including lab results and medication, and health insurance information. HCPF says about 4.1 million individuals are affected.
IBM has yet to publicly confirm that it was affected by the MOVEit mass-hacks, and an IBM spokesperson did not respond to a request for comment by TechCrunch. The breach of IBM's MOVEit systems also impacted Missouri's Department of Social Services (DSS), though the number of affected individuals is not yet known. More than six million people live in Missouri state. In a data breach notification posted last week, Missouri's DSS said: "IBM is a vendor that provides services to DSS, the state agency that provides Medicaid services to eligible Missourians. The data vulnerability did not directly impact any DSS systems, but impacted data belonging to DSS." DSS says that the data accessed may include an individual's name, department client number, date of birth, possible benefit eligibility status or coverage, and medical claims information.
In a data breach notification (PDF) to those affected, Colorado's HCPF said that the data was compromised because IBM, one of the state's vendors, "uses the MOVEit application to move HCPF data files in the normal course of business." The letter states that while no HCPF or Colorado state government systems were affected by this issue, "certain HCPF files on the MOVEit application used by IBM were accessed by the unauthorized actor." These files include patients' full names, dates of birth, home addresses, Social Security numbers, Medicaid and Medicare ID numbers, income information, clinical and medical data including lab results and medication, and health insurance information. HCPF says about 4.1 million individuals are affected.
IBM has yet to publicly confirm that it was affected by the MOVEit mass-hacks, and an IBM spokesperson did not respond to a request for comment by TechCrunch. The breach of IBM's MOVEit systems also impacted Missouri's Department of Social Services (DSS), though the number of affected individuals is not yet known. More than six million people live in Missouri state. In a data breach notification posted last week, Missouri's DSS said: "IBM is a vendor that provides services to DSS, the state agency that provides Medicaid services to eligible Missourians. The data vulnerability did not directly impact any DSS systems, but impacted data belonging to DSS." DSS says that the data accessed may include an individual's name, department client number, date of birth, possible benefit eligibility status or coverage, and medical claims information.
how much you wanna bet (Score:2)
Re: (Score:2)
I would not take that bet. IBM proper is pretty much a clueless has-been as well at this point. Ginny made sure of that.
Re: (Score:2)
" IBM is one of those with the artificial intelligence, quantum computers, and all that since years back"
Those things being in a lab do not count.
timing (Score:2)
So much for never got fired for buying IBM. (Score:2)
Because you know that the damage control and mitigation steps presented to HHS is going to be a list of who we fired so that they can reduce the fine.
I'm waiting for the mass firings over Active Directory exploits. They'll probably fire the junior security team members who signed off on Active Directory being used.
Encrypt? (Score:1)
How Long? (Score:2)
Re: (Score:2)
I think the better questions why hasn't it already.
I honestly don't understand what is so attractive to enterprise IT about MoveIT and Accellion. The core of these products is quotas, secure file transfer and encryption at rest - something EVERY contemporary OS offers pretty much OOB at this point. If you need a web interface there are any number of far more secure Java or .Net applications you could deploy to any platform you chose or you could use any number of other FOSS things built on contemporary fram
Re: (Score:2)
I honestly don't understand what is so attractive to enterprise IT about MoveIT and Accellion. The core of these products is quotas, secure file transfer and encryption at rest - something EVERY contemporary OS offers pretty much OOB at this point.
Sure you can do these kinds of things with Linux and Windows, but can you get this done with cheap low-salary techs or do you need experienced admins who can actually pronounce "linux" to manage things? Companies invest in this because it's a turnkey solution that allows them to use cheap labor to get things done, and they can scale out cheap labor much more easily to get more of the things done for linear costs. Fixed licensing costs can be managed and forecasted, but skilled labor is much riskier and incr
Re: (Score:2)
I could totally see that argument in the medium business space where half their stuff is cloud, and they just have a small team of admins and developers. However this stuff seems to land in the F500 enterprise space where they absolutely do have the staff on hand that can do this better.
Victims of Zero Day Attack (Score:1)
The Missouri Department of Social Services (DSS) is responding to a May 2023 data security incident that occurred with IBM Consulting (IBM) that involved Progress Software’s MOVEit Transfer software.
MOVEit Software timeline of vulnerability:
https://www.progress.com/secur... [progress.com]
May 31, 2023, Progress reported a vulnerability in MOVEit Transfer and MOVEit Cloud (CVE-2023-34362) that could lead to escalated privileges and potential unauthorized access to the environment.
From TFA:
IBM notified DSS of the incident on June 2, 2023, informing DSS that IBM had applied any recommended MOVEit software fixes and had stopped using the MOVEit Transfer application while they investigated to determine if any DSS data had been accessed.
I don't have many kind words for IBM but in this situation it looks like Missouri DSS was the victim of a zero day attack. Once the vulnerability was disclosed by MOVEit IBM applied a mitigation to a PROD system within three days. The larger question is what role did IBM have (if any) in securing the systems the software existed on.
(Btw - to the Slashdot Editors - please fix the original submission.
Bigger deal (Score:4, Informative)
Text him on hackerspytech @gmail com (Score:1)
Hire a hacker review (Score:1)
ETHICAL HACKER FOR HIRE/ WIZARD LARRY (Score:1)
ETHICAL HACKER FOR HIRE/ WIZARD LARRY (Score:1)
Text him on hackerspytech @gmail com, veritable!!! (Score:1)
Special thanks to hackerspytech @ gmail com (Score:1)
I know and can recommend a very efficient HACKER (Score:1)