Crime
If you enrolled in a state health program through UMass Chan Medical School in Worcester, your data may have been leaked.
State officials are warning more than 134,000 Massachusetts residents that their personal information was part of a third-party data security breach that has affected millions around the world.
Who was affected
People currently or previously enrolled in certain state health programs through UMass Chan Medical School in Worcester may have been impacted by a data security incident involving a file-transfer software program called MOVEit, the Executive Office of Health and Human Services said in a press release Tuesday.
People who were affected by the breach are those who were or are enrolled in the State Supplement Program (including recipients, other members of the household, and authorized representatives), MassHealth Premium Assistance, MassHealth Community Case Management, or the Executive Office of Elder Affairs and Aging Services Access Points home care programs, the release said.
No UMass Chan Medical School or state data security systems were compromised by the breach, the office said. The Health and Human Services office is notifying people whose information may have been leaked by mail, as well as phone, text, and e-mail where possible, the release said.
What information was leaked
While the information involved in the breach varied, it included names and one or more of the following:
- Date of birth
- Mailing addresses
- Protected health information such as diagnosis and treatment information, prescription information, provider names, dates of service, claims information, health insurance member ID numbers, and other health insurance related information
- Social Security number
- Financial account information
The letter from the state should explain what data may have been leaked, how the state has responded to the breach, and how those affected can protect their personal information, the release said.
“Any individual who receives a notice is encouraged to take steps to protect their information, including monitoring their financial account statements and enrolling in free credit monitoring and identity theft protection offered to individuals who had certain sensitive information involved,” the office wrote in the release.
UMass Chan is offering free credit monitoring and identity theft protection services to those whose Social Security numbers and/or financial information were part of the breach, the release said.
How the breach happened
MOVEIt, which is operated by tech giant IBM, was hacked by a Russia-linked ransomware group called Clop earlier this summer, according to TechCrunch. The group found a previously-unknown vulnerability in the software, and has been publicly listing alleged victims since June 14.
The victim list contains nearly 700 organizations, including banks, hospitals, hotels, energy giants, and state health departments around the country. Clop said it would leak the “secrets and data” of all MOVEit victims that refused to negotiate on Aug. 15, TechCrunch reported.
MOVEit is owned by Burlington, Mass., software company Progress Software.
UMass Chan learned about the MOVEit security breach on June 1. The medical school immediately fixed the vulnerability, contacted law enforcement, launched an investigation, and worked to figure out what information was compromised, the release said.
UMass Chan was ultimately able to identify which files may have been affected by the data security breach. The medical school determined that some of these files contained information about people enrolled in state programs on July 27, the release said.
For more information, visit mass.gov/MOVEitIncident or call 855-862-7769.
Newsletter Signup
Stay up to date on all the latest news from Boston.com
Originally posted 2023-08-17 00:23:27.