NASCO

Your Personal Info Could Be

Exposed Online After

This Hospital Breach

Breach Description

NASCO, an Atlanta-based healthcare technology company, experienced a significant data security incident on May 30, 2023, when an unauthorized third party acquired data from the company’s MOVEit instance, a file transfer application by Progress Software[1][5]. The breach was discovered by NASCO on July 12, 2023, and the company promptly secured its systems, initiated an investigation with a leading cybersecurity firm, and notified law enforcement[1].

The compromised data included a range of personal information such as names, demographic details (addresses, phone numbers, genders, dates of birth), health insurance numbers, claim information, medical ID numbers, dates of service, medical information (including diagnosis information), medical devices or products purchased, provider/caregiver names, and in some cases, Social Security numbers. The specific data affected varied by individual[1][5].

NASCO has taken steps to mitigate the risk to its customers and the affected personal information. The company is providing notice to certain affected individuals by letter and offering resources to help protect their personal information, including 24 months of identity monitoring services at no cost to those who receive a notification letter about the issue[1].

The breach was part of a larger incident involving the MOVEit zero-day vulnerability, which had global ramifications and affected millions of people. The vulnerability allowed cybercriminals to access servers, networks, and storage of organizations using MOVEit[5]. NASCO has since worked to enhance the security of its systems and mitigate risk[1].

Affected individuals are encouraged to remain vigilant against identity theft and fraud, review their account statements, monitor their free credit reports for suspicious activity, and confirm the accuracy of health care services described in benefits documents they receive from their health plan[1]. NASCO has established a dedicated toll-free telephone number for those who may have questions or need additional information about the incident[1].

Citations:

  1. https://www.prnewswire.com/news-releases/nasco-provides-notification-and-support-related-to-data-security-incident-301970341.html
  2. https://www.northwell.edu
  3. https://consumer.sc.gov/sites/consumer/files/Documents/Security%20Breach%20Notices/NASCO.pdf
  4. https://www.experian.com/blogs/ask-experian/credit-education/faqs/instructions-for-disputing-by-mail/
  5. https://www.idstrong.com/sentinel/blues-nasco-updates-million-records-exposed-by-moveit/
  6. https://www.napcosecurity.com
  7. https://apps.web.maine.gov/online/aeviewer/ME/40/88b0f21d-4122-45a4-982a-57de65aef63b.shtml
  8. https://www.jdsupra.com/legalnews/nasco-confirms-moveit-related-data-9662508/
  9. https://www.teiss.co.uk/news/atlanta-healthcare-software-company-nasco-says-moveit-transfer-breach-impacted-800k-patients-13075
  10. https://www.integreon.com
  11. https://apps.web.maine.gov/online/aeviewer/ME/40/422c4d33-f81f-4d63-b939-df5ae62bbe7e.shtml
  12. https://www.myinjuryattorney.com/data-breach-investigation-nasco/
  13. https://www.teiss.co.uk/news/healthcare-software-company-nasco-adds-16m-people-to-its-list-of-moveit-breach-victims-13341
  14. https://www.classaction.org/media/macgillivray-et-al-v-national-account-service-company-llc-et-al.pdf
Breach Submission Date Oct 10, 2023
Converted Entity Name NASCO
Converted Entity Type Business Associate
State GA
Individuals Affected 2,956
Breach Type Hacking/IT Incident

Breach Information Location Network Server

Business Associate Present Yes