Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Privacy IBM Security

Millions of Americans' Health Data Stolen After MOVEit Hackers Targeted IBM (techcrunch.com) 24

An anonymous reader quotes a report from TechCrunch: Millions of Americans had their sensitive medical and health information stolen after hackers exploiting a zero-day vulnerability in the widely used MOVEit file transfer software raided systems operated by tech giant IBM. Colorado's Department of Health Care Policy and Financing (HCPF), which is responsible for administering Colorado's Medicaid program, confirmed on Friday that it had fallen victim to the MOVEit mass-hacks, exposing the data of more than four million patients.

In a data breach notification (PDF) to those affected, Colorado's HCPF said that the data was compromised because IBM, one of the state's vendors, "uses the MOVEit application to move HCPF data files in the normal course of business." The letter states that while no HCPF or Colorado state government systems were affected by this issue, "certain HCPF files on the MOVEit application used by IBM were accessed by the unauthorized actor." These files include patients' full names, dates of birth, home addresses, Social Security numbers, Medicaid and Medicare ID numbers, income information, clinical and medical data including lab results and medication, and health insurance information. HCPF says about 4.1 million individuals are affected.

IBM has yet to publicly confirm that it was affected by the MOVEit mass-hacks, and an IBM spokesperson did not respond to a request for comment by TechCrunch. The breach of IBM's MOVEit systems also impacted Missouri's Department of Social Services (DSS), though the number of affected individuals is not yet known. More than six million people live in Missouri state. In a data breach notification posted last week, Missouri's DSS said: "IBM is a vendor that provides services to DSS, the state agency that provides Medicaid services to eligible Missourians. The data vulnerability did not directly impact any DSS systems, but impacted data belonging to DSS." DSS says that the data accessed may include an individual's name, department client number, date of birth, possible benefit eligibility status or coverage, and medical claims information.

This discussion has been archived. No new comments can be posted.

Millions of Americans' Health Data Stolen After MOVEit Hackers Targeted IBM

Comments Filter:
  • it was Redhat Enterprise since IBM (international bowel movement) acquired it
    • by gweihir ( 88907 )

      I would not take that bet. IBM proper is pretty much a clueless has-been as well at this point. Ginny made sure of that.

  • How long after the MOVEit news broke did this occur ?
  • Because you know that the damage control and mitigation steps presented to HHS is going to be a list of who we fired so that they can reduce the fine.

    I'm waiting for the mass firings over Active Directory exploits. They'll probably fire the junior security team members who signed off on Active Directory being used.

  • If only it were possible to encrypt data at rest, so that the sensitive information could not easily be had.
  • How long before MoveIT moves off into the sunset...never to be seen again?
    • by DarkOx ( 621550 )

      I think the better questions why hasn't it already.

      I honestly don't understand what is so attractive to enterprise IT about MoveIT and Accellion. The core of these products is quotas, secure file transfer and encryption at rest - something EVERY contemporary OS offers pretty much OOB at this point. If you need a web interface there are any number of far more secure Java or .Net applications you could deploy to any platform you chose or you could use any number of other FOSS things built on contemporary fram

      • I honestly don't understand what is so attractive to enterprise IT about MoveIT and Accellion. The core of these products is quotas, secure file transfer and encryption at rest - something EVERY contemporary OS offers pretty much OOB at this point.

        Sure you can do these kinds of things with Linux and Windows, but can you get this done with cheap low-salary techs or do you need experienced admins who can actually pronounce "linux" to manage things? Companies invest in this because it's a turnkey solution that allows them to use cheap labor to get things done, and they can scale out cheap labor much more easily to get more of the things done for linear costs. Fixed licensing costs can be managed and forecasted, but skilled labor is much riskier and incr

        • by DarkOx ( 621550 )

          I could totally see that argument in the medium business space where half their stuff is cloud, and they just have a small team of admins and developers. However this stuff seems to land in the F500 enterprise space where they absolutely do have the staff on hand that can do this better.

  • by Anonymous Coward
    From TFA:

    The Missouri Department of Social Services (DSS) is responding to a May 2023 data security incident that occurred with IBM Consulting (IBM) that involved Progress Software’s MOVEit Transfer software.

    MOVEit Software timeline of vulnerability:
    https://www.progress.com/secur... [progress.com]

    May 31, 2023, Progress reported a vulnerability in MOVEit Transfer and MOVEit Cloud (CVE-2023-34362) that could lead to escalated privileges and potential unauthorized access to the environment.

    From TFA:

    IBM notified DSS of the incident on June 2, 2023, informing DSS that IBM had applied any recommended MOVEit software fixes and had stopped using the MOVEit Transfer application while they investigated to determine if any DSS data had been accessed.

    I don't have many kind words for IBM but in this situation it looks like Missouri DSS was the victim of a zero day attack. Once the vulnerability was disclosed by MOVEit IBM applied a mitigation to a PROD system within three days. The larger question is what role did IBM have (if any) in securing the systems the software existed on.



    (Btw - to the Slashdot Editors - please fix the original submission.

  • Bigger deal (Score:4, Informative)

    by Jarik C-Bol ( 894741 ) on Tuesday August 15, 2023 @06:20AM (#63768568)
    I was only tangentially aware of the MOVEit breach, a family friend called and asked me a few questions about a free year of credit monitoring their health insurance provider was offering, and mentioned MOVEit. I just looked it up, and am a little stunned it has not made bigger waves in the news. Upwards of 46.7 million individuals and counting affected, 677 organizations (banks, insurance, businesses, municipalities, state and local government agencies). And this is the first news article I’ve seen on the subject. Pretty disappointing to see how many eggs are in one basket, security wise.
  • We all have our separate reasons for hiring a hacker. I was faced with such a problem sometime ago and I didn't know where to look for one, so I went online and searched. And a lot of results came up during my search but I choose hackerspytech @gmail com and after talking with him and relaying what I wanted him to do for me, he told me not to worry he collected some information from me and told me he'll get back to me within 4 hours so after waiting for about 2 hours he mailed me and said my job was ready.
  • Hire a hacker for review (TECHSPYHACKERPRO @ GM AIL C OM ). They offer service like ( phone hack, GPS track, face book recovery, delete criminal record, whatsApp recovery, retrieve lost wallet and many more...
  • ETHICAL HACKER FOR HIRE/ WIZARD LARRY Have you ever experienced cryptocurrency theft? Have scammers or hackers taken your hard-earned Bitcoins? Don't be worried! W I Z A R D L A R R Y is an expert cryptocurrency recovery agent who can help you get your stolen Bitcoin back and reclaim what is rightfully yours. Make contact with him right away and thank me later. wizardlarry (AT) mail DOT com. WhatsApp +1 (205) /319-/6886/ Website : https://wizardlarry.wixsite.co... [wixsite.com]
  • ETHICAL HACKER FOR HIRE/ WIZARD LARRY Have you ever experienced cryptocurrency theft? Have scammers or hackers taken your hard-earned Bitcoins? Don't be worried! W I Z A R D L A R R Y is an expert cryptocurrency recovery agent who can help you get your stolen Bitcoin back and reclaim what is rightfully yours. Make contact with him right away and thank me later. wizardlarry (AT) mail DOT com. WhatsApp +1 (205) /319-/6886/ Website : https://wizardlarry.wixsite.co... [wixsite.com]
  • Infidelity in marriage is never a thing of joy, I was battling with infections in marriage, painful right. I'm not so ashamed to say this because I'll like this to serve as an eye-opener to young couples out there. my ex-husband was a university lecturer and was always involved with extramarital affairs. I found myself in and out of hospitals treating myself for STDs, I had to get an ethical hacker hackerspytech @gmail com, to help me clone his phone and social media platforms in Whatsapp and Facebook messe
  • Research, Findings, Results and Reviews from clients in-need of the Best iOS and iPhone Hire a Hacker for Hacking Services, has shown that iPhone/iOS hackerspytech @ gmail com Delivers the best mix of web filtering, Location tracking and App management, particularly on iOS devices, Android Devices and Windows. Forensic Hire a Hacker Service includes: access to Facebook chats, WhatsApp messages, Instagram Messages, Tinder messages, Phone texts, call logs, browser history, recover deleted files and chat histo
  • I know and can recommend a very efficient and trustworthy hacker. I got his email address on Quora , hackerspytech @ gmail com is a very nice and he has helped me a couple of times even helped clear some discrepancies in my account at a very affordable price. he offers a top notch service and I am really glad I contacted him. He's the right person you need to talk to if you want to retrieve your deleted/old texts,call logs,emails,photos and also hack any of your spouse’s social network account faceboo

If all else fails, lower your standards.

Working...