Maximus, Inc.
Your Personal Info Could Be
Exposed Online After
This Hospital Breach
Breach Description
Maximus, Inc., a Virginia-based government services provider, experienced a significant data breach due to a cyberattack on the MOVEit file transfer software. This incident, disclosed in late May 2023, resulted in the theft of personal information of 8 to 11 million individuals. The breach was part of a larger cyberattack campaign exploiting a zero-day vulnerability in MOVEit Transfer, a managed file transfer software, affecting approximately 513 organizations and leading to the theft of personal information of around 35 million individuals globally[3].
The compromised data included Social Security numbers, protected health information, and other sensitive personal details. Maximus, which contracts with federal, state, and local governments to manage and administer government-sponsored programs such as Medicaid and Medicare, confirmed that the breach did not impact its internal IT systems or cause material interruptions to its business operations. However, the company anticipated incurring approximately $15 million in expenses related to investigation and remediation activities for the quarter ending June 30, 2023[3].
In response to the breach, Maximus began notifying affected individuals and offered credit monitoring and identity protection services for two years through Experian at no cost to the impacted individuals[2]. The Centers for Medicare & Medicaid Services (CMS) also reported that the breach may have exposed the personal information of as many as 612,000 Medicare recipients, and in collaboration with Maximus, began notifying potentially affected individuals by letter, offering free credit monitoring services for 24 months[4].
This incident is considered one of the largest healthcare-related data breaches of the year, with Maximus being the largest victim of the 2023 MOVEit breach, impacting 612,000 Medicare beneficiaries[7]. The breach has led to a proposed federal class action lawsuit against Maximus Federal Services Inc., accusing the company of failing to protect the personal information of more than 612,000 patients[12].
Citations:
- https://www.sec.gov/enforce/34-98351-s
- https://apps.web.maine.gov/online/aeviewer/ME/40/4147b711-dc88-4cb4-9561-db9069994341.shtml
- https://www.securityweek.com/up-to-11-million-people-hit-by-moveit-hack-at-government-services-firm-maximus/
- https://fedscoop.com/maximus-breach-may-have-exposed-data-of-medicare-recipients/
- https://www.idstrong.com/data-breaches/maximus-breach/
- https://washingtontechnology.com/companies/2023/07/maximus-hit-moveit-ranswomware-breach/388901/
- https://enfortra.com/moveit-impacts-600k-medicare-beneficiaries-ranks-as-biggest-hack-of-2023/?amp=1
- https://www.hipaajournal.com/up-to-11-million-health-records-maximus-data-breach/
- https://techcrunch.com/2023/07/27/us-government-contractor-says-moveit-hackers-accessed-health-data-of-at-least-8-million-individuals/
- https://fox59.com/indiana-news/maximus-data-security-incident-impacts-more-than-744000-indiana-medicaid-members/
- https://www.idstrong.com/sentinel/maximus-federal-services-suffered-data-breach/
- https://news.bloomberglaw.com/privacy-and-data-security/maximus-federal-services-hit-with-moveit-data-breach-lawsuit