TGI Direct

Your Personal Info Could Be

Exposed Online After

This Hospital Breach

Breach Description

On May 28, 2023, TGI Direct, Inc., a company that provides printing and mailing services to various organizations including health plans, detected unusual activity within their MOVEit file transfer tool’s server. MOVEit is a managed file transfer tool used by TGI Direct to manage data collected and stored on behalf of their customers. The creators of MOVEit, Progress Software, had recently identified vulnerabilities in the tool that were previously unknown and could potentially allow unauthorized access to data within the tool. An unauthorized actor exploited these vulnerabilities and accessed data without permission from several companies, including TGI Direct[1].

The breach at TGI Direct lasted for less than four hours on the aforementioned date, during which the unauthorized actor accessed or acquired some data stored on the server. The information affected by the breach varied by individual but included names, insurance information, and medical information. No Social Security numbers or financial information were involved, and there was no evidence that the information was used for identity theft or fraud[1].

In response to the incident, TGI Direct secured their environment to prevent further harm, initiated an investigation with the help of third-party cybersecurity specialists, and applied patches provided by Progress Software to fix the vulnerabilities in MOVEit. TGI Direct is notifying individuals whose data was impacted and advising them to monitor their account statements and credit reports for any suspicious activity. They have also provided a dedicated assistance line for those with additional questions regarding the breach[1].

The breach was reported to the Secretary of Health and Human Services as affecting 11,556 individuals and is listed on the Office for Civil Rights Breach Portal as a hacking/IT incident involving a network server with a business associate present[9]. This incident is part of a larger series of breaches involving the MOVEit Transfer solution, which affected numerous organizations and millions of records[12].

Citations:

  1. https://www.prnewswire.com/news-releases/tgi-direct-inc-provides-notice-of-data-event-301995262.html
  2. https://www.qlik.com/us/products/qlik-sense
  3. https://www.tgidirect.com/tgi/About
  4. https://edubenchmark.com/course/oet
  5. https://www.tgidirect.com
  6. https://www.printingnews.com/trade-services/trade-printing/press-release/10282229/tgi-direct-tgi-direct-among-biggest-losers-in-weightloss-competition
  7. https://www.tgidirect.com/tgi/Capabilities/Data
  8. https://www.tannoy.com
  9. https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
  10. https://www.linkedin.com/company/privacy-associates-international-llc
  11. https://www.indeed.com/cmp/Tgi-Direct/reviews?fcountry=US&floc=Flint%2C+MI
  12. https://www.hipaajournal.com/november-2023-healthcare-data-breach-report/
  13. https://twitter.com/OCRNewBreaches
Breach Submission Date Jan 17, 2024
Converted Entity Name TGI Direct
Converted Entity Type Business Associate
State MI
Individuals Affected 11,556
Breach Type Hacking/IT Incident

Breach Information Location Network Server

Business Associate Present Yes