State of Maine

Your Personal Info Could Be

Exposed Online After

This Hospital Breach

Breach Description

The State of Maine experienced a significant data breach impacting approximately 1.3 million individuals, which is roughly equivalent to the state’s entire population. This breach was part of a global cybersecurity incident involving the MOVEit file transfer tool, owned by Progress Software. The vulnerability in MOVEit was exploited by cybercriminals, specifically the Cl0p ransomware gang, between May 28 and May 29, 2023, before a patch was issued on May 31, 2023[6][15][21].

The types of data compromised in this breach vary from individual to individual but may include names, Social Security numbers (SSN), dates of birth, driver’s licenses, state identification numbers, taxpayer identification numbers, and for some, medical information and health insurance information[1][6][15]. The Maine Department of Health and Human Services was the most affected, with over 50% of the data exposed originating from this department. The Maine Department of Education also significantly impacted, with 10 to 30% of the data coming from this department. Other affected departments include the Maine Department of Administrative and Financial Services, Maine Workers’ Compensation, Maine Bureau of Motor Vehicles, Maine Department of Corrections, Maine Department of Economic and Community Development, Maine Department of Professional and Financial Regulation, and Maine Department of Labor[1][6].

In response to the breach, the State of Maine took several steps to secure its information and mitigate the impact on affected individuals. These steps included blocking internet access to and from the compromised MOVEit server, engaging external legal and cybersecurity experts, and applying security measures recommended by Progress Software[1][3][15]. The state has also offered two years of complimentary credit monitoring and identity theft protection services to individuals whose Social Security numbers or taxpayer identification numbers were involved[1][3][6].

To address concerns and provide assistance, the State of Maine established a dedicated call center and a website to offer the latest information on the incident and guidance on how affected individuals can protect their personal information[1][3][6]. Despite the efforts to notify impacted individuals through various communication channels, there has been criticism regarding the delay in notification, with the breach being discovered in May but notifications only starting in November[19].

This incident underscores the importance of cybersecurity vigilance and the need for prompt action and transparent communication in the wake of data breaches to minimize harm to affected individuals.

Citations:

  1. https://www.maine.gov/moveit-global-data-security-incident/
  2. https://apps.web.maine.gov/online/aeviewer/ME/40/49e711c6-e27c-4340-867c-9a529ab3ca2c.shtml
  3. https://www.maine.gov/moveit-global-data-security-incident/sites/maine.gov.moveit-global-data-security-incident/files/inline-files/PRESS%20RELEASE%20State%20of%20Maine%20Impacted%20by%20Global%20MOVEit%20Security%20Incident.pdf
  4. https://legislature.maine.gov/legis/statutes/10/title10sec1348.html
  5. https://apps.web.maine.gov/online/aeviewer/ME/40/68401938-23c3-4279-8bc5-d4782e3cba56.shtml
  6. https://www.malwarebytes.com/blog/exploits-and-vulnerabilities/2023/11/state-of-maine-data-breach-impacts-1-3-million-people/amp
  7. https://www.cpomagazine.com/cyber-security/maine-state-governments-moveit-data-breach-basically-impacted-all-1-3-million-residents/
  8. https://lewisbrisbois.com/privacy/US/Maine/data-breach
  9. https://www.newscentermaine.com/article/news/local/maine-data-breach-file-transfer-software/97-273215ab-1ee6-4dd0-b05e-b66aff55ee37
  10. https://dwmlaw.com/maines-data-breach-law-what-to-do-after-a-breach/
  11. https://thehill.com/policy/technology/4304739-maine-says-1-3m-people-affected-by-data-breach/
  12. https://appengine.egov.com/apps/me/maine/ag/reportingform
  13. https://www.pressherald.com/2023/11/09/state-russian-speaking-cyber-hack-reached-maine-affecting-personal-data/
  14. https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-maine.html
  15. https://securityaffairs.com/154066/data-breach/state-of-maine-data-breach.html
  16. https://www.mainehousing.org/docs/default-source/ehs-partners-library/Community-Action-Agencies/ssa-documents/data-security-breach-response-plan.pdf?sfvrsn=ef7da115_2
  17. https://www.wmtw.com/article/more-than-1-million-mainers-affected-data-breach-state-says/45802554
  18. https://www.hipaajournal.com/state-of-maine-reports-450000-record-data-breach/
  19. https://www.govtech.com/security/breach-notification-delays-draw-criticism-for-maine-agencies
  20. https://www.bleepingcomputer.com/news/security/maine-govt-notifies-13-million-people-of-moveit-data-breach/
  21. https://techcrunch.com/2023/11/09/maine-government-data-breach-clop-ransomware/
  22. https://www.thinkadvisor.com/2023/11/10/state-of-maine-moveit-breach-exposes-1-3m-peoples-data/
Breach Submission Date Nov 16, 2023
Converted Entity Name State of Maine
Converted Entity Type Health Plan
State ME
Individuals Affected 453,894
Breach Type Hacking/IT Incident

Breach Information Location Network Server

Business Associate Present Yes