UT Southwestern Medical Center

Your Personal Info Could Be

Exposed Online After

This Hospital Breach

Breach Description

The UT Southwestern Medical Center (UTSW) in Texas experienced a significant data breach due to a cybersecurity attack on the MOVEit software, a tool used for securely transferring large data files between networks. This incident, part of a broader series of attacks affecting numerous organizations both nationally and internationally, was identified on May 30, 2023, after an unknown individual exploited a previously unidentified vulnerability in the software on May 28, 2023. The breach led to the unauthorized access and theft of certain protected health information stored within UTSW’s MOVEit server[1].

The stolen patient data varied and may have included names, dates of birth, names of medications, dosages of medications, prescribing providers, and, for a smaller number of individuals, Social Security information[1]. UT Southwestern has been actively contacting impacted patients through direct mail to inform them about the specifics of the stolen information. Following the detection of the attack, UTSW took immediate steps to secure its systems and networks, limit the amount of information stored within its MOVEit server, and began a comprehensive analysis to identify both the individuals and types of data impacted[1].

UTSW has also been monitoring for any additional suspicious activities continuously and has not received any notification that the stolen information has been used maliciously. The institution has provided affected individuals with precautionary actions they can take, such as changing passwords, using two-factor or multifactor authentication, and notifying credit bureaus and monitoring agencies of any suspicious activity. Resources provided for informational purposes include the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) joint CSA, the Federal Trade Commission’s website on identity theft, and a free credit report available online or by telephone[1].

This breach is part of a larger trend of cybersecurity attacks targeting healthcare facilities, which hold valuable information making them attractive targets for hackers. The healthcare industry’s slow pace in adopting the latest technology and the consolidation in the electronic health record market, which results in most systems using one of two medical record software programs, creates ideal conditions for hackers. Third-party vendors have also been identified as a weak link leading to data breaches[3].

UT Southwestern has expressed deep regret over the incident and reassured that the protection of all data is a top institutional priority. The institution has a dedicated team and call center available to assist individuals with any questions they may have regarding the breach[1].

Citations:

  1. https://www.utsouthwestern.edu/newsroom/articles/year-2023/july-patient-notification.html
  2. https://www.utsouthwestern.edu/employees/information-security/awareness/malware-ransomware/
  3. https://www.dmagazine.com/publications/d-ceo/2023/november/hospitals-data-is-under-attack-how-is-the-industry-responding/
  4. https://www.wfaa.com/article/news/local/ut-southwestern-medical-center-patient-data-stolen-in-cyberattack-hospital-says/287-9fbeaee0-46a9-420a-9cbe-3b2a130921e0
  5. https://www.reddit.com/r/Dallas/comments/15adj7t/ut_southwestern_identity_theft/
  6. https://www.jdsupra.com/legalnews/the-university-of-texas-southwestern-7380334/
  7. https://www.govtech.com/security/these-six-texas-industries-suffered-hacks-in-2023
  8. https://www.dmagazine.com/healthcare-business/2023/07/ut-southwestern-one-of-400-organizations-hit-by-international-data-breach/
  9. https://www.dallasnews.com/business/2024/01/04/has-your-private-info-been-compromised-these-six-texas-industries-were-hacked-in-2023/
  10. https://www.hipaajournal.com/98000-ut-southwestern-medical-center-patients-affected-by-moveit-cyberattack/
  11. https://hacknotice.com/2023/07/25/the-university-of-texas-southwestern-medical-center-notified-jd-supra/
  12. https://www.thelyonfirm.com/blog/ut-southwestern-medical-center-data-breach-investigation/
  13. https://www.dea.gov/press-releases/2021/11/30/ut-southwestern-pay-45-million-resolve-alleged-controlled-substance-act
  14. https://www.beckershospitalreview.com/cybersecurity/texas-hospital-caught-in-moveit-breach-98-437-patients-affected.html
  15. https://www.hipaajournal.com/hipaa-breaches/
  16. https://www.myinjuryattorney.com/the-university-of-texas-southwestern-medical-center-data-breach-investigation/
  17. https://www.utsouthwestern.edu/research/hrpp/assets/crf_training_intro_utsw_unit_5_chapter_13_additional_2023.pdf
Breach Submission Date Jul 24, 2023
Converted Entity Name UT Southwestern Medical Center
Converted Entity Type Healthcare Provider
State TX
Individuals Affected 98,437
Breach Type Hacking/IT Incident

Breach Information Location Network Server

Business Associate Present Yes