Missouri’s Department of Social Services warns that protected Medicaid healthcare information was exposed in a data breach after IBM suffered a MOVEit data theft attack.
The attack was conducted by the Clop ransomware gang, who began hacking MOVEit Transfer servers on May 27th using a zero-day vulnerability tracked as CVE-2023-34362.
These attacks allowed the threat actors to steal data from over 600 companies worldwide, including companies, educational orgs, federal government agencies, and local state agencies.
The ransomware gang is expected to make $75-100 million from these attacks.
Missouri health data exposed
Yesterday, the Missouri Department of Social Services disclosed a data breach that exposed health information related to Medicaid services in the state.
“The Missouri Department of Social Services (DSS) is responding to a May 2023 data security incident that occurred with IBM Consulting (IBM) that involved Progress Software’s MOVEit Transfer software,” reads the DSS data breach notification.
“IBM is a vendor that provides services to DSS, the state agency that provides Medicaid services to eligible Missourians. The data vulnerability did not directly impact any DSS systems, but impacted data belonging to DSS. DSS took immediate steps in response to this incident that are ongoing.”
IBM confirmed to BleepingComputer yesterday that their MOVEit Transfer server was breached in these attacks, allowing data theft.
“IBM has worked in partnership with the Missouri Department of Social Services to determine and minimize the impact of the incident involving MOVEit Transfer, a non-IBM data transfer program provided by Progress Software,” IBM told BleepingComputer in a statement.
“Upon receiving a security bulletin from Progress, we severed interaction of MOVEit Transfer with the department’s IT systems to avoid any further impact to Missouri citizens and their data. No IBM systems were impacted.”
After analyzing the stolen data, DSS confirmed that it contained protected health information for Medicaid participants in Missouri.
“The information involved in this incident may include an individual’s name, department client number (DCN), date of birth, possible benefit eligibility status or coverage, and medical claims information,” explains the DSS notification.
“DSS is still reviewing the files associated with this incident. This will take us some time to complete. These files are large, are not in plain English, and are not easily readable because of how they are formatted.”
The agency told BleepingComputer that the investigation has revealed that only two (2) social security numbers were exposed and no banking information has been identified.
DSS warns that due to the size of the stolen files and how they are formatted, it may take some time to analyze the data and fully determine the scope of the data breach.
However, DSS told BleepingComputer that out of an abundance of caution they are sending notifications to all Missouri Medicaid participants that were enrolled in May of 2023.
The Missouri Department of Social Services suggests that individuals freeze their credit to prevent threat actors from opening new accounts or borrowing money under their name.
The agency also recommends that those impacted monitor their credit reports for unusual activity.
The MOVEit Transfer attacks have impacted other state agencies, including the Louisiana and Oregon Department of Motor Vehicles, who warned in June that millions of state IDs were stolen.