Skip to main content

NASCO Data Breach Investigation | MOVEit Transfer

The Lyon Firm is currently involved in a number of security breach incidents linked to the MOVEit Transfer ransomware attack in which hundreds of entities and tens of millions of consumers were impacted. NASCO is one of the latest companies to announce a notice of data breach, reporting that the personal data of over 804,000 individuals may have been compromised.

What Happened at NASCO?

On July 12, 2023, NASCO, a subsidiary of Blue Cross Blue Shield of Michigan, and a provider of healthcare technology solutions, discovered that it had experienced a data breach in which the personal identifiable information of thousands of individuals in its system may have been accessed and acquired.

After an investigation, NASCO determined that an unauthorized actor may have accessed this sensitive information in late May 2023 through a vulnerability in the MOVEit file sharing platform. The MOVEit transfer service fell victim to a “zero-day exploit,” which is a cyberattack targeting a vulnerability that’s unknown to either the software’s creators or antivirus vendors. Clop, the ransomware group who claimed the attack, identified the software vulnerability before Progress Software could apply a security patch, and they quickly attacked.

On October 20, 2023, NASCO began sending out notice of data breach to those impacted and Attorneys General around the country. The type of information exposed may include:

  • Names
  • Social Security numbers

More About NASCO

NASCO, operating out of Atlanta, Georgia, is an independent subsidiary of Blue Cross Blue Shield of Michigan. The company offers software solutions and technology to health plans to help automate and streamline their processes both internally and for clients. NASCO has exclusively served Blue Cross and Blue Shield Plans for over 30 years.

Data security is likely to remain a challenge for National Account Service Company and many others around the globe. Not only do companies need to invest heavily in their own network security, but now they are urged to ensure that all third-party vendors have all their ducks in a row as well.

A company’s IT security is essentially only as strong as its weakest supply-chain link. We see the problems with thousands of companies who relied on Progress Software to provide a good and secure file transfer solution. It is unfortunate, but the reality is NASCO has a duty to make sure all their vendors are secure as well.

What is MOVEit?

MOVEit is a file transfer program owned by Progress Software. In May 2023, a ransomware group called Cl0p gained access to the software and stole a large amount of data. The MOVEit software is used by a wide range of organizations in the public and private sector to electronically move sensitive personal data.

Obviously, it was a huge target because of the sensitive data companies were transferring back and forth, and hackers found a vulnerability to exploit. The data breach ultimately hit financial companies, government agencies, pension funds, schools and healthcare companies. Tens of millions of people have been impacted worldwide.

The Clop ransomware group has been very active in the last couple of years, and has had success in extorting companies after they hack their systems and steal valuable data. This particular breach is so far-reaching that it has overwhelmed consumers. Many victims have been hit with numerous data breach events in a calendar year and have reason to be upset, confused and angry.

Legal action may be the only recourse that can compensate a plaintiff. We will work on your behalf to find you a rightful settlement after any data privacy violation. You are encouraged to remain vigilant as well as the case moves forward. You should be monitoring your accounts, stay alert for phishing scams, changing your login credentials and looking for signs of fraud and identity theft.

Can I Join the NASCO Data Breach Lawsuit?

Yes, it is still possible to file a claim if you have been notified that you are a victim in the MOVEit breach. We are handling ongoing litigation in the case, and many cases are being consolidated by the courts. Contact our data breach lawyers to learn more about joining the suit.

We handle a variety of data privacy cases, and have had success settling data theft claims for plaintiffs in all fifty states. Following any data security incident in which your personal information is compromised, it is important to mitigate the risks of future identity theft and fraud. It is advisable to stay vigilant to frequently monitor your credit history and accounts. There are a number of software solutions available following a cyberattack to help you stay protected. Contact our attorneys to learn more and to consider legal action.

Our lawyers are working alongside some of the biggest firms in the nation on a wide range of data privacy litigation. We believe strongly that entities that collect and store your personal information have a duty to protect it. When companies fail to build and maintain a reasonably secure IT network, and a data theft incident occurs, victims can file a class action data breach lawsuit and hold the company accountable.

Contact our data breach lawyers to learn more about the MOVEit Transfer ransomware attack, and to assess your eligibility to file a NASCO data breach claim. Free and confidential consultations available.