Missouri Department of Social Services

Your Personal Info Could Be

Exposed Online After

This Hospital Breach

Breach Description

The Missouri Department of Social Services (DSS) experienced a data security incident in May 2023 involving IBM Consulting and Progress Software’s MOVEit Transfer software. IBM, a vendor providing services to DSS, used MOVEit Transfer, which had a critical vulnerability that was exploited, leading to unauthorized access to Medicaid participant protected health information. The compromised data may include names, department client numbers (DCN), dates of birth, possible benefit eligibility status or coverage, and medical claims information. DSS is still reviewing the files associated with the incident, which are large and not easily readable due to their format[1].

DSS has taken immediate steps to respond to the incident, including disconnecting the MOVEit servers from internal IT systems and beginning an investigation. They have also set up a dedicated call center and incident response website to assist potentially affected Missourians. DSS is sending letters to individuals who may have been impacted by the incident, providing information on how to obtain a free credit report and monitor their credit and accounts. There has been no indication that the data has been misused, but DSS encourages vigilance[1].

IBM notified DSS of the incident on June 2, 2023, and by June 13, 2023, DSS was informed that certain files saved in the MOVEit software application were accessed by an unauthorized user. DSS is working with IDX, a ZeroFox Company, to assist affected individuals. The incident did not directly impact DSS systems but did impact data belonging to DSS[1].

A data breach is a security incident in which unauthorized parties gain access to sensitive data or confidential information. The consequences of a data breach can be severe, including financial losses, reputational damage, legal troubles, regulatory fines, and erosion of consumer trust. Organizations with regularly tested incident response plans and formal incident response teams have an average data breach lifecycle of 277 days, from identifying to containing an active breach[2][3].

For more information, affected individuals can contact the dedicated call center at (888) 220-4761 or visit the incident response website at https://response.idx.us/missouri[1].

Citations:

  1. https://dss.mo.gov/press/pdf/dss-third-party-cyber-attack-protection.pdf
  2. https://www.ibm.com/topics/data-breach
  3. https://www.metacompliance.com/blog/data-breaches/5-damaging-consequences-of-a-data-breach
  4. https://www.fpc.gov/elements-of-federal-privacy-program/breach-response/
  5. https://www.hipaajournal.com/missouri-dss-medicaid-recipients-moveit-hack/
  6. https://www.trendmicro.com/vinfo/us/security/definition/data-breach
  7. https://hbr.org/2023/05/the-devastating-business-impacts-of-a-cyber-breach
  8. https://abc17news.com/news/missouri/2023/08/09/missouri-department-of-social-services-warns-of-medicaid-data-breach/
  9. https://www.ftc.gov/business-guidance/resources/data-breach-response-guide-business
  10. https://www.cloudmask.com/blog/data-breaches-threats-and-consequences
  11. https://www.ksmu.org/news/2023-08-10/medicaid-data-breach-missouri-department-of-social-services-alerts-public
  12. https://www.csoonline.com/article/534628/the-biggest-data-breaches-of-the-21st-century.html
  13. https://www.nedigital.com/en/blog/data-breach-consequences
  14. https://www.komu.com/news/state/department-of-social-services-alerts-missourians-of-medicaid-data-breach/article_d5ca9ba2-36c3-11ee-adc7-53b09c44ea22.html
  15. https://www.kaspersky.com/resource-center/definitions/data-breach
  16. https://bigid.com/blog/the-costly-impact-of-a-data-breach-on-individuals/
  17. https://www.newstribune.com/news/2023/aug/09/dss-warns-mo-healthnet-users-to-check-records/
  18. https://www.fortinet.com/resources/cyberglossary/data-breach
  19. https://www.fisglobal.com/en/insights/merchant-solutions-worldpay/article/how-the-consequences-of-a-data-breach-threaten-small-businesses
  20. https://www.govtech.com/security/missouri-grapples-with-medical-records-data-breach
  21. https://commission.europa.eu/law/law-topic/data-protection/reform/rules-business-and-organisations/obligations/what-data-breach-and-what-do-we-have-do-case-data-breach_en
  22. https://www.securitymagazine.com/articles/98325-the-impact-of-a-data-breach
  23. https://therecord.media/missouri-medicaid-health-info-moveit-breach
  24. https://www.mcafee.com/learn/what-is-a-data-breach-and-how-do-you-avoid-it/
  25. https://securityintelligence.com/articles/long-term-impacts-security-breach/
Breach Submission Date Aug 07, 2023
Converted Entity Name Missouri Department of Social Services
Converted Entity Type Health Plan
State MO
Individuals Affected 739,884
Breach Type Hacking/IT Incident

Breach Information Location Network Server

Business Associate Present Yes