Maximus Data Breach

The U.S. government services contractor Maximus disclosed that the recent MOVEit Transfer data-theft attack compromised the personal data of up to 11 million clients.

Maximus is a contractor that manages and administers US government-sponsored programs, including federal and local healthcare programs and student loan servicing. The company employs 34,300 people. The company has been notifying people with Medicare whose PII may have been exposed. If you are a victim, and have received a data breach notification letter, contact our law firm to discuss your legal options.

Data breach victims are being offered free-of-charge credit monitoring services for 24 months, and attorneys argue this is not enough compensation for a possible lifetime of increased identity theft risk. Medical identity theft is a real thing, and if your Medicare Beneficiary Identifier number is stolen, you should learn more about receiving a new Medicare card with a new number.

In a Form 8-K filing with the US Securities and Exchange Commission (SEC), Maximus confirmed the attackers stole files containing personal information and protected health information, including Social Security numbers.

The MOVEit breach is a serious reminder of the vulnerabilities that exist in today’s digital world. If companies are not going to properly protect the data they collect and store, then it is up to consumers and privacy lawyers to press more continuous vigilance and robust security measures. We can do this together by filing class actions against companies who fail to build and invest in proper IT security.

What Happened?

On May 30, 2023, Maximus detected unusual activity in its MOVEit application. That same day, the third-party application provider, Progress Software Corp, announced that a vulnerability in its MOVEit software had allowed an unauthorized party to gain access to files on their servers.

An investigation indicated that from May 27 to May 31, 2023, the unauthorized party may have obtained copies of files that were saved in the Maximus MOVEit application.

Personal and Medicare information was potentially involved in this data theft incident. This leaked information may have included the following:

•  Name
•  Social Security Number or Individual Taxpayer Identification Number
•  Date of Birth
•  Mailing Address
•  Telephone Number, Fax Number, & Email Address
•  Medicare Beneficiary Identifier (MBI) or Health Insurance Claim Number (HICN)
•  Driver’s License Number and State Identification Number
•  Medical History/Notes (including medical record/account numbers, conditions, diagnoses, dates of service, images, treatments, etc.)
•  Healthcare Provider and Prescription Information
•  Health Insurance Claims and Policy/Subscriber Information
•  Health Benefits & Enrollment Information

Understanding the MOVEit Ransomware Attack

Disclosed at the end of May, the attack allegedly exploited a zero-day vulnerability in the MOVEit Transfer managed file transfer software which allowed the Clop group to access and remove the data transferred through the service.

According to cybersecurity firms, hundreds of organizations were impacted by the MOVEit hack and tens of millions of individuals have been caught up in the breach.

Clop Ransomware Group Claims the MOVEit Data Breach

The Clop ransomware gang added Maximus to its dark web data leak site along with many other MOVEit new victims at the time. Clop’s site claimed they stole 169GB of data during the breach on Maximus’ MOVEit Transfer server. As the list of MOVEit zero-day flaw victims grows, tens of millions are thought to be impacted.

This data breach allegedly happened because of an unidentified weak spot in the MOVEit software. Maximus has stated that this specific breach could affect up to 11 million individuals, leaking personal identifiable information (PII) and protected health information (PHI) of Medicare beneficiaries.

Companies like Maximus used the Progress Software MOVEit service to send, receive and store sensitive information, making it a perfect target for cybercriminals.

Victims should stay alert for phishing attempts in the form of emails, texts, or phone calls that may look like they’re coming from trusted sources like Medicare. You should never provide personal information in response to any unsolicited request via email, text, or phone call.

Other Maximus Data Security Incidents

In 2021, Ohio Medicaid announced that their data manager, Maximus Corp, has been hit with a “cybersecurity incident” which compromised the personal information of almost 335,000 individuals. Those affected individuals are located in multiple U.S. states.

The Maximus data breach was first reported in May 2021 when unknown parties allegedly accessed a company server. Maximus has sent out notification letters to those affected, and although they don’t believe any personal information has been misused or sold on the dark web yet, there is always some degree of uncertainty in these matters and data theft cannot be ruled out.

According to reports, in 2020, ransomware attacks affected 560 health care facilities in the U.S. In at least a dozen of those incidents sensitive health information and other personal data was published online. The cyber threat keeps on growing, and the only way to curb the hacks is for companies to properly invest in cybersecurity. 

On May 19, 2021, Maximus discovered a breached server that contained personal information provided to the Ohio Department of Medicaid (ODM) or to a Managed Care Plan. Maximus took the server offline shortly after discovering the data breach to prevent further unauthorized access and began an investigation. In the 2021 breach, personal information that may have been leaked included:

• Names
• Dates of birth
• Social Security numbers
• Drug Enforcement Agency numbers