Health plans, Medicaid, Medicare hit by massive MOVEit breach

Millions of health plan members have had their personal information, including Social Security numbers and medical history, breached in a massive attack affecting hundreds of organizations. 

MOVEit is a file-transferring application used by public and private organizations. In late May, the application was breached by Clop, a Russian-backed ransomware gang. 

MOVEit disclosed the vulnerability and deployed a patch to correct it on May 31. 

As of Aug. 24, the breach has impacted 988 organizations and over 58 million people, including hospitals, health systems and health plans, according to cybersecurity site Emsisoft.

Here are eight cases affecting payers to note. This list is not comprehensive: 

1. Missouri Medicaid beneficiaries' data was exposed through a breach of MOVEit software used by IBM, a contractor with the Missouri Department of Social Services, the department said Aug. 8. The department did not say how many Medicaid recipients were affected.
   
   
2. An estimated 1.7 million Oregon Health Plan members' personal health data was exposed in the MOVEit breach, the Oregon Health Authority said Aug 2.
   
   
3. Maximus, which provides administrative services for government programs, including Medicare and Medicaid, estimated data for 8 to 11 million people was exposed due to vulnerabilities in the MOVEit software. 
   
   

4. Around 612,000 Medicare beneficiaries' data was exposed through vulnerabilities in the MOVEit software Maximus used, CMS said July 28. 
   
   

5. In Indiana, data of more than 744,000 Medicaid members was exposed through the MOVEit software Maximus used, the state's Family and Social Services Administration said Aug. 11.
   
   
6. Around 4 million Colorado Medicaid and CHIP beneficiaries' data was exposed through MOVEit software used by IBM, a contractor with the Colorado Department of Health Care Policy, the department said Aug. 11. The breach of the Colorado department has one of the largest number of people affected, according to Emsisoft.
   
   

7. CareSource, which offers Medicaid, Medicare and marketplace plans, was another victim of the MOVEit breach. On July 27, the company notified 3 million customers their data may have been breached, according to JDSupra. 
   
   

8. UnitedHealthcare Student Resources, the company's student insurance division, reported a breach resulting from MOVEit to the Texas Attorney General's Office July 25, according to JD Supra.