Missouri Department of Social Services
Your Personal Info Could Be
Exposed Online After
This Hospital Breach
Breach Description
The Missouri Department of Social Services (DSS) experienced a data security incident in May 2023 involving IBM Consulting and Progress Software’s MOVEit Transfer software. IBM, a vendor providing services to DSS, used MOVEit Transfer, which had a critical vulnerability that was exploited, leading to unauthorized access to Medicaid participant protected health information. The compromised data may include names, department client numbers (DCN), dates of birth, possible benefit eligibility status or coverage, and medical claims information. DSS is still reviewing the files associated with the incident, which are large and not easily readable due to their format[1].
DSS has taken immediate steps to respond to the incident, including disconnecting the MOVEit servers from internal IT systems and beginning an investigation. They have also set up a dedicated call center and incident response website to assist potentially affected Missourians. DSS is sending letters to individuals who may have been impacted by the incident, providing information on how to obtain a free credit report and monitor their credit and accounts. There has been no indication that the data has been misused, but DSS encourages vigilance[1].
IBM notified DSS of the incident on June 2, 2023, and by June 13, 2023, DSS was informed that certain files saved in the MOVEit software application were accessed by an unauthorized user. DSS is working with IDX, a ZeroFox Company, to assist affected individuals. The incident did not directly impact DSS systems but did impact data belonging to DSS[1].
A data breach is a security incident in which unauthorized parties gain access to sensitive data or confidential information. The consequences of a data breach can be severe, including financial losses, reputational damage, legal troubles, regulatory fines, and erosion of consumer trust. Organizations with regularly tested incident response plans and formal incident response teams have an average data breach lifecycle of 277 days, from identifying to containing an active breach[2][3].
For more information, affected individuals can contact the dedicated call center at (888) 220-4761 or visit the incident response website at https://response.idx.us/missouri[1].
Citations:
- https://dss.mo.gov/press/pdf/dss-third-party-cyber-attack-protection.pdf
- https://www.ibm.com/topics/data-breach
- https://www.metacompliance.com/blog/data-breaches/5-damaging-consequences-of-a-data-breach
- https://www.fpc.gov/elements-of-federal-privacy-program/breach-response/
- https://www.hipaajournal.com/missouri-dss-medicaid-recipients-moveit-hack/
- https://www.trendmicro.com/vinfo/us/security/definition/data-breach
- https://hbr.org/2023/05/the-devastating-business-impacts-of-a-cyber-breach
- https://abc17news.com/news/missouri/2023/08/09/missouri-department-of-social-services-warns-of-medicaid-data-breach/
- https://www.ftc.gov/business-guidance/resources/data-breach-response-guide-business
- https://www.cloudmask.com/blog/data-breaches-threats-and-consequences
- https://www.ksmu.org/news/2023-08-10/medicaid-data-breach-missouri-department-of-social-services-alerts-public
- https://www.csoonline.com/article/534628/the-biggest-data-breaches-of-the-21st-century.html
- https://www.nedigital.com/en/blog/data-breach-consequences
- https://www.komu.com/news/state/department-of-social-services-alerts-missourians-of-medicaid-data-breach/article_d5ca9ba2-36c3-11ee-adc7-53b09c44ea22.html
- https://www.kaspersky.com/resource-center/definitions/data-breach
- https://bigid.com/blog/the-costly-impact-of-a-data-breach-on-individuals/
- https://www.newstribune.com/news/2023/aug/09/dss-warns-mo-healthnet-users-to-check-records/
- https://www.fortinet.com/resources/cyberglossary/data-breach
- https://www.fisglobal.com/en/insights/merchant-solutions-worldpay/article/how-the-consequences-of-a-data-breach-threaten-small-businesses
- https://www.govtech.com/security/missouri-grapples-with-medical-records-data-breach
- https://commission.europa.eu/law/law-topic/data-protection/reform/rules-business-and-organisations/obligations/what-data-breach-and-what-do-we-have-do-case-data-breach_en
- https://www.securitymagazine.com/articles/98325-the-impact-of-a-data-breach
- https://therecord.media/missouri-medicaid-health-info-moveit-breach
- https://www.mcafee.com/learn/what-is-a-data-breach-and-how-do-you-avoid-it/
- https://securityintelligence.com/articles/long-term-impacts-security-breach/