Reston, VA-based Maximus Inc., a government services contracting company, has announced in a Securities and Exchange Commission (SEC) filing that hackers exploited a zero-day vulnerability in Progress Software’s MOVEit Transfer solution in May 2023 and accessed the protected health information (PHI) of between 8 and 11 million individuals. The Clop ransomware group was responsible for the attack and Maximus was one of hundreds of entities to be affected by the Clop group’s mass exploitation of the zero-day vulnerability.

According to the filing, Maximus used MOVEit Transfer for internal and external file sharing, including for sharing data with government customers that participate in various government programs. After being notified about the vulnerability and data breach by Progress Software, Maximus launched a forensic investigation and review of the affected files and while that process is still ongoing, Maximus confirmed that the impacted files contained protected health information. Maximus said it cannot confirm precisely how many individuals have been affected until the review process is completed, and that it anticipates that the process will take several more weeks.

Maximus has notified the affected customers and will provide notice to all affected individuals when the review concludes. Affected individuals will be offered complimentary credit monitoring and identity theft protection services for 24 months. Maximus has recorded expenses of $15 million for the quarter to June 30, 2023, in relation to the data breach.

The Department of Health and Human Services’ Centers for Medicare and Medicaid Services (CMS) has confirmed that the PHI of approximately 612,000 current Medicare recipients was exposed in this incident and up to 645,000 individuals in total. The CMS said it is working with Maximus to provide notice to the affected individuals. The CMS said the stolen data includes names, dates of birth, mailing addresses, telephone numbers, email addresses, Social Security numbers/taxpayer identification numbers, Medicare beneficiary numbers, driver’s license numbers, state identification numbers, health insurance information, claims information, health benefits and enrollment information, and medical histories, which include notes, medical records/account numbers, conditions, diagnoses, images, treatment information, and dates of service.

The post Up to 11 Million Health Records Compromised in Cyberattack on Government Contractor appeared first on HIPAA Journal.