Unum Group SACE
Your Personal Info Could Be
Exposed Online After
This Hospital Breach
Breach Description
The breach at Unum Group SACE in Tennessee involved a significant data security incident that was disclosed in August 2023. This incident was part of a larger cybersecurity issue affecting numerous organizations, primarily due to the exploitation of a vulnerability in the MOVEit Transfer solution by the Clop ransomware group. The MOVEit Transfer application is a file transfer software that was widely used for secure data handling and transfers.
Overview of the Breach
On June 1, 2023, Unum Group detected suspicious activity involving its MOVEit Transfer application. The company promptly initiated an investigation with the help of third-party cybersecurity experts. The investigation revealed that between May 31 and June 1, 2023, an unauthorized party exploited a security vulnerability in MOVEit Transfer to copy a subset of data from Unum’s server[3].
The data accessed by the unauthorized party varied by individual but included sensitive information such as names, dates of birth, addresses, Social Security numbers or individual tax identification numbers, medical information, health insurance claim information, and policy information. Financial information and other government-issued identification numbers were also involved for a limited number of individuals[3].
Response and Notification
Upon discovering the breach, Unum Group took several steps to mitigate the impact and prevent future incidents. These steps included taking the MOVEit Transfer application offline, applying patches recommended by the software vendor, notifying law enforcement, and monitoring publicly available information regarding the vulnerability[3].
Unum Group began notifying affected individuals on July 22, 2023, providing them with information on how to enroll in free credit monitoring and identity protection services. The company also advised affected individuals to remain vigilant by reviewing their account statements and monitoring their credit reports for signs of suspicious activity[3].
Legal and Regulatory Implications
The breach led to a class action lawsuit filed against Unum Group, alleging negligence in protecting its computer systems from cybercriminals. The lawsuit claims that over half a million people’s medical information and private identification information were compromised as a result of the breach. The plaintiff, Kyle Marks, alleges that Unum failed to promptly notify affected individuals, waiting more than two months to inform them of the breach[5].
Conclusion
The Unum Group SACE data breach underscores the importance of robust cybersecurity measures and prompt incident response protocols. It also highlights the growing threat of ransomware attacks and the need for organizations to stay vigilant against vulnerabilities in third-party software applications. As the legal proceedings unfold, they may set precedents for how similar cases are handled in the future, particularly regarding the timeliness of breach notifications and the responsibilities of organizations to protect sensitive customer information[5].
Citations:
- https://www.jdsupra.com/legalnews/unum-group-confirms-moveit-data-breach-2113405/
- https://www.plumbenefits.com
- https://www.timesfreepress.com/news/2023/aug/03/chattanooga-unum-reveals-data-breach-tfp/
- https://www.wolterskluwer.com/en/solutions/ct-corporation
- https://topclassactions.com/lawsuit-settlements/privacy/data-breach/unum-data-breach-affects-half-a-million-consumers-class-action-claims/
- https://en.wikipedia.org/wiki/In_God_We_Trust
- https://www.healthcaredive.com/news/tracking-healthcare-data-breaches-cybersecurity-hacking-hospitals/696184/
- https://twitter.com/RepTimBurchett
- https://www.hipaajournal.com/august-2023-healthcare-data-breach-report/
- https://blackkite.com/data-breaches-caused-by-third-parties/
- https://www.blackfog.com/what-we-know-about-the-moveit-exploit/
- https://securetrust.io/cybersecurity-insights/recent-attacks/hipaa-data-breach-report-august-2023/