State of Maine
Your Personal Info Could Be
Exposed Online After
This Hospital Breach
Breach Description
The State of Maine experienced a significant data breach impacting approximately 1.3 million individuals, which is roughly equivalent to the state’s entire population. This breach was part of a global cybersecurity incident involving the MOVEit file transfer tool, owned by Progress Software. The vulnerability in MOVEit was exploited by cybercriminals, specifically the Cl0p ransomware gang, between May 28 and May 29, 2023, before a patch was issued on May 31, 2023[6][15][21].
The types of data compromised in this breach vary from individual to individual but may include names, Social Security numbers (SSN), dates of birth, driver’s licenses, state identification numbers, taxpayer identification numbers, and for some, medical information and health insurance information[1][6][15]. The Maine Department of Health and Human Services was the most affected, with over 50% of the data exposed originating from this department. The Maine Department of Education also significantly impacted, with 10 to 30% of the data coming from this department. Other affected departments include the Maine Department of Administrative and Financial Services, Maine Workers’ Compensation, Maine Bureau of Motor Vehicles, Maine Department of Corrections, Maine Department of Economic and Community Development, Maine Department of Professional and Financial Regulation, and Maine Department of Labor[1][6].
In response to the breach, the State of Maine took several steps to secure its information and mitigate the impact on affected individuals. These steps included blocking internet access to and from the compromised MOVEit server, engaging external legal and cybersecurity experts, and applying security measures recommended by Progress Software[1][3][15]. The state has also offered two years of complimentary credit monitoring and identity theft protection services to individuals whose Social Security numbers or taxpayer identification numbers were involved[1][3][6].
To address concerns and provide assistance, the State of Maine established a dedicated call center and a website to offer the latest information on the incident and guidance on how affected individuals can protect their personal information[1][3][6]. Despite the efforts to notify impacted individuals through various communication channels, there has been criticism regarding the delay in notification, with the breach being discovered in May but notifications only starting in November[19].
This incident underscores the importance of cybersecurity vigilance and the need for prompt action and transparent communication in the wake of data breaches to minimize harm to affected individuals.
Citations:
- https://www.maine.gov/moveit-global-data-security-incident/
- https://apps.web.maine.gov/online/aeviewer/ME/40/49e711c6-e27c-4340-867c-9a529ab3ca2c.shtml
- https://www.maine.gov/moveit-global-data-security-incident/sites/maine.gov.moveit-global-data-security-incident/files/inline-files/PRESS%20RELEASE%20State%20of%20Maine%20Impacted%20by%20Global%20MOVEit%20Security%20Incident.pdf
- https://legislature.maine.gov/legis/statutes/10/title10sec1348.html
- https://apps.web.maine.gov/online/aeviewer/ME/40/68401938-23c3-4279-8bc5-d4782e3cba56.shtml
- https://www.malwarebytes.com/blog/exploits-and-vulnerabilities/2023/11/state-of-maine-data-breach-impacts-1-3-million-people/amp
- https://www.cpomagazine.com/cyber-security/maine-state-governments-moveit-data-breach-basically-impacted-all-1-3-million-residents/
- https://lewisbrisbois.com/privacy/US/Maine/data-breach
- https://www.newscentermaine.com/article/news/local/maine-data-breach-file-transfer-software/97-273215ab-1ee6-4dd0-b05e-b66aff55ee37
- https://dwmlaw.com/maines-data-breach-law-what-to-do-after-a-breach/
- https://thehill.com/policy/technology/4304739-maine-says-1-3m-people-affected-by-data-breach/
- https://appengine.egov.com/apps/me/maine/ag/reportingform
- https://www.pressherald.com/2023/11/09/state-russian-speaking-cyber-hack-reached-maine-affecting-personal-data/
- https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-maine.html
- https://securityaffairs.com/154066/data-breach/state-of-maine-data-breach.html
- https://www.mainehousing.org/docs/default-source/ehs-partners-library/Community-Action-Agencies/ssa-documents/data-security-breach-response-plan.pdf?sfvrsn=ef7da115_2
- https://www.wmtw.com/article/more-than-1-million-mainers-affected-data-breach-state-says/45802554
- https://www.hipaajournal.com/state-of-maine-reports-450000-record-data-breach/
- https://www.govtech.com/security/breach-notification-delays-draw-criticism-for-maine-agencies
- https://www.bleepingcomputer.com/news/security/maine-govt-notifies-13-million-people-of-moveit-data-breach/
- https://techcrunch.com/2023/11/09/maine-government-data-breach-clop-ransomware/
- https://www.thinkadvisor.com/2023/11/10/state-of-maine-moveit-breach-exposes-1-3m-peoples-data/