The state began getting in touch Tuesday with more than 134,000 people currently or previously enrolled in certain state programs whose personal information, potentially including private medical details and financial data, was part of a data breach involving a file transfer program used by the UMass Chan Medical School.
The Executive Office of Health and Human Services said that exposed data varies by person, but in each case includes the person's name and at least one other piece of information like date of birth, mailing address, protected health information like diagnosis and treatment details, Social Security number, and financial account information.
The breach stems from a vulnerability in MOVEit, a product of Burlington-based Progress Software that the state said "was used to transfer files as part of the services provided by UMass to certain EOHHS agencies and programs."
"This incident was part of a worldwide data security incident involving a file-transfer software program called MOVEit, which has impacted state and federal government agencies, financial services firms, pension funds, and many other types of companies and not-for-profit organizations. No UMass Chan or state systems were compromised in this incident," HHS said in its announcement. "Impacted individuals have been sent notice by mail and will be contacted by phone, text, and e-mail where possible. Any individual who receives a notice is encouraged to take steps to protect their information, including monitoring their financial account statements and enrolling in free credit monitoring and identity theft protection offered to individuals who had certain sensitive information involved."
The breach mostly affected "State Supplement Program (SSP) participants (including recipients, other members of the household and authorized representatives), MassHealth Premium Assistance members, MassHealth Community Case Management participants, and Executive Office of Elder Affairs (EOEA) and Aging Services Access Points (ASAP) home care program consumers," the state said.
"If you do not participate in one of those programs, it is unlikely your data was exposed," the state said.
People whose information was compromised will begin getting letters from UMass Chan and the state Tuesday, HHS said, with specific information on which pieces of their information were exposed and steps they can take to protect their identity and data. UMass Chan started notifying affected people Monday.
UMass Chan learned about the issues with MOVEit on June 1, and "immediately fixed the vulnerability, contacted law enforcement, launched an investigation and worked to identify the individuals whose information was involved," HHS said. The medical school identified files that may have been subject to unauthorized acquisition and on July 27 determined that some of these files contained information related to people who received state HHS services.
UMass Chan is offering free credit monitoring and identity theft protection services to individuals whose Social Security numbers or financial information were involved in the breach. More information is available on the state's website.
Reuters described the MOVEit issue as a "hydra-headed breach centered on a single American software maker [that] has compromised data at more than 600 organizations worldwide."
The news outlet cited cybersecurity firm Emsisoft, which has so far tallied 668 affected organizations and more than 46 million individual victims worldwide.
The breach has hit other states hard — information on 6 million people was exposed through the Louisiana Office of Motor Vehicles, another 4 million people's information was affected at the Colorado Department of Health Care Policy and Financing, and 3.5 million people had information exposed through the Oregon Department of Transportation, Emsisoft said.
Earlier this year, Harvard Pilgrim Health Care parent company Point32Health determined that patient information was stolen as part of a cybersecurity ransomware incident discovered in April. The data breach impacted customer service functions for the insurer, including the enrollment and renewal processes.
It took until late June for the insurer to restore its "core functions and digital tools, including our public website and secure online (member) account" to the point that they were safe to use. The company announced the full restoration of its online tools on June 29.