Known MOVEit Attack Victim Count Reaches 2,618 Organizations

Trackers of the tally of individuals affected by the Clop ransomware group’s mass hack attack on MOVEit servers added another 4.5 million patients’ data to the ever-ascending total.

See Also: Risky Business: When Third-Party Troubles Become Your Own

The new additions come from healthcare platform Welltok, California’s Medical Eye Services, and Medicaid contractor Maximus Federal Services. They join a long and growing list of organizations that have reported suffering breaches of their MOVEit servers, recently including the state of Maine, which said data pertaining to approximately 1.3 million residents – equal to the state’s population count – had been stolen.

The data-stealing attacks began around May 27, when the Clop – aka Cl0p – ransomware group began exploiting a zero-day vulnerability, later designated CVE-2023-34362, in MOVEit secure file transfer software, built by Progress Software. On May 31, the Massachusetts-based vendor alerted users to the attack campaign and released a patch to fix the flaw.

At least 2,618 organizations have been affected by the MOVEit attacks, leading to information on more than 77 million individuals being exposed, security firm Emsisoft reported Sunday. The most-affected sectors, it said, have been education, healthcare and financial and professional services, although not all victims have lost sensitive data (see: Lessons to Learn From Clop’s MOVEit Supply Chain Attacks).

Progress Software last month reported that it’s facing a class action lawsuit in Massachusetts federal court – consolidated from 58 separately filed lawsuits seeking class action status, plus investigations launched by federal and state regulators, as well as foreign data privacy regulators (see: US Securities and Exchange Commission Probes MOVEit Hack).

Welltok Notifies 3.5 Million Patients

In the meantime, more MOVEit victims continue to be counted. That includes 3.5 million individuals that healthcare platform Welltok, owned by Virgin Pulse, has begun to directly notify.

Welltok first disclosed that it had fallen victim to the MOVEit attacks on Oct. 24. The company said it has confirmed that its MOVEit file transfer server was breached on May 30, and it identified all resulting victims after doing “a full reconstruction of its systems and historical data,” which it completed on Aug. 11.

California’s Sutter Health on Nov. 3 reported that personal information for approximately 845,441 Sutter Health patients appeared to have been stolen and that all patients were being notified directly by Welltok via letters.

On Friday, Welltok disclosed that data it had held for “the group health plans of Stanford Health Care, of Stanford Health Care, Lucile Packard Children’s Hospital Stanford, Stanford Health Care Tri-Valley, Stanford Medicine Partners, and Packard Children’s Health Alliance” had been stolen.

For 1.6 million patients who are part of Stanford Health Care and associated plans located in and around Palo Alto, California, Welltok said exposed information included name, address, birthdate and health information, and that it had begun to directly notify affected patients Friday.

Welltok on Friday also began notifying about 1 million patients of Corewell Health in southeast Michigan, as well as 2,500 users of its Priority Health plan, that their information had been stolen from its MOVEit server. For affected Corewell Health patients, stolen information included name, birthdate, email address, phone number, diagnoses, health insurance information and Social Security number.

Medical Eye Services Sees 665,000 Victims

Another MOVEit victim is Medical Eye Services. The Blue Shield of California vendor said Friday that 664,824 individuals’ names and Social Security numbers had been stolen from its MOVEit server.

Medical Eye Services, based in Foothill Ranch, California, said the attack against it ran from May 28 to May 31.

In the data breach notification being sent to victims, David Keystone, Blue Shield of California’s chief privacy officer, said that the company had established a dedicated call center to field questions from victims, who are being offered one year of prepaid identity theft monitoring via Kroll. He also said “the vendor has rebuilt the MOVEit system in accordance with gold standard build requirements” and that “before reactivating the system, the vendor undertook a number of technical measures to validate security controls put in place.”

Maximus Counts 11.3 Million Victims

Another MOVEit target has counted fresh victims. On Thursday, the Centers for Medicare and Medicaid Services reported that an additional 330,000 individuals are being notified that their personal identifiable information was exposed by Medicare contractor Maximus Federal Services. CMS said its own systems were not breached in the MOVEit attacks.

Information stolen from Maximus from May 27 through May 31 included patient names, Social Security numbers, birthdates, addresses and contact information, driver’s license numbers, health insurance claims and prescription information, and in some cases, Medicare Beneficiary Identifier, CMS said. CMS said anyone whose MBI was potentially exposed will receive a new MBI card with a new unique identification number. “CMS will mail the new card to your address in the coming weeks,” it said. “In the meantime, you can continue to use your existing Medicare card.”

Maximus first notified CMS on June 2 that it had fallen victim to the MOVEit campaign. On July 26, Maximus alerted federal regulators that “at least” 8 million to 11 million individuals’ information had been stolen after Clop exfiltrated 169 gigabytes of data from its MOVEit servers, making it the largest known MOVEit attack victim. Maximus is offering victims 24 month of prepaid credit monitoring services.