Confidential Health Details Leaked in IBM MOVEit Cyberattack

Missouri’s Department of Social Services (DSS) has sounded the alarm over a serious data breach. Medicaid healthcare information, a part of the protected category, was laid bare following a MOVEit data theft assault on IBM.

The Clop ransomware gang spearheaded this attack, which began on May 27th. They exploited a zero-day vulnerability known as CVE-2023-34362. The result? Access to data from over 600 organizations worldwide. These entities included businesses, education institutions, federal and local state agencies.

The projected income from these ransomware attacks ranges between $75-100 million.

Missouri’s Healthcare Data Compromised

Yesterday, the news broke out. Missouri’s Department of Social Services had disclosed the exposure of healthcare data linked to the state’s Medicaid services.

The statement from the DSS read, “The Missouri Department of Social Services is reacting to a May 2023 data breach with IBM Consulting. The incident involved Progress Software’s MOVEit Transfer software. IBM offers services to DSS, the state agency dealing with Medicaid services for eligible Missouri residents. The data issue didn’t affect DSS systems directly. It affected data owned by DSS. DSS acted swiftly in ongoing response to this incident.”

IBM’s statement to BleepingComputer read, “IBM has cooperated with the Missouri Department of Social Services to ascertain and mitigate the incident’s impact. The incident involved MOVEit Transfer, a non-IBM data transfer program from Progress Software. On receiving a bulletin from Progress, we cut off MOVEit Transfer’s interaction with the department’s IT systems. We took this step to protect Missouri citizens and their data further. IBM systems remain unaffected.”

Analyzing Stolen Data Reveals Extent of Breach

After examining the stolen data, DSS found that it had protected health details for Missouri’s Medicaid participants. The data that might be compromised include names, department client numbers (DCNs), birth dates, possible benefit eligibility, and medical claim records.

The DSS further clarified, “We are still scrutinizing the files linked to this event. This review will take considerable time. The files are vast, not easily understandable, and hard to read due to their format.”

Only two social security numbers were exposed, and no bank information was identified, as confirmed by the agency.

However, due to the stolen files’ nature and format, it might take a while to analyze the data and grasp the breach’s full extent.

Notifications and Recommendations Against MOVEit

Out of caution, DSS is sending alerts to all Missouri Medicaid participants enrolled in May 2023.

The Missouri Department of Social Services urges affected individuals to freeze their credit. This preventive measure can obstruct threat actors from creating new accounts or borrowing money under their name.

Furthermore, the agency advises monitoring credit reports for suspicious activities.

Ripple Effects of the MOVEit Transfer Attacks

This MOVEit Transfer assault has not only impacted Missouri. Other state agencies, including Louisiana and Oregon Department of Motor Vehicles, are victims. They got warnings in June that millions of state IDs are under attack.

The incident underscores the need for robust cybersecurity measures and continued vigilance. The potential consequences are vast, with personal data and state security hanging in the balance. The events in Missouri and other states act as a stern reminder of what’s at stake in a digital landscape.