IBM MOVEit Data Breach Exposes Missouri’s Health Information to Cybercriminals – Urgent Alert

Data Theft Exposes Missouri Medicaid Healthcare Information

IT Services wants to inform the public about a concerning data breach that occurred in Missouri. The state’s Department of Social Services recently revealed that protected Medicaid healthcare information was exposed due to a data theft attack on IBM’s MOVEit software.

This attack was carried out by the Clop ransomware gang, who exploited a zero-day vulnerability, tracked as CVE-2023-34362, to hack into MOVEit Transfer servers starting from May 27th.

As a result of these attacks, the threat actors managed to steal data from more than 600 organizations worldwide, including companies, educational organizations, federal government agencies, and local state agencies. You can find more information about the breach here.

It is estimated that the ransomware gang will profit between $75-100 million from these attacks.

Is the Zacks Data Breach Related to the IBM MOVEit Data Breach?

The latest zacks data breach update does not indicate any direct connection to the IBM MOVEit Data Breach. While both incidents involve data breaches, there is no information suggesting they are linked. It is crucial to address each breach separately and take necessary precautions to ensure data security in all systems.

Missouri Health Data Breach

Yesterday, the Missouri Department of Social Services made a public announcement regarding a data breach that compromised health information related to Medicaid services in the state.

“The Missouri Department of Social Services (DSS) is currently addressing a data security incident that occurred in May 2023, involving IBM Consulting (IBM) and Progress Software’s MOVEit Transfer software,” stated the DSS in their official data breach notification.

IBM confirmed to IT Services that their MOVEit Transfer server was breached during these attacks, leading to the theft of data.

“IBM has been working closely with the Missouri Department of Social Services to investigate and minimize the impact of the incident involving MOVEit Transfer, a non-IBM data transfer program provided by Progress Software,” IBM informed IT Services in a statement.

“Upon receiving a security bulletin from Progress, we immediately severed the connection between MOVEit Transfer and the department’s IT systems to prevent any further impact on the data and privacy of Missouri citizens. No IBM systems were affected by this breach.”

After analyzing the stolen data, the DSS confirmed that it contained protected health information of Medicaid participants in Missouri.

The compromised information may include individuals’ names, department client numbers (DCN), dates of birth, possible benefit eligibility status or coverage, and medical claims information, as explained in the DSS notification.

The DSS is currently reviewing the files associated with this incident, which is a time-consuming process due to their large size, non-plain English format, and complex formatting.

Fortunately, the investigation has revealed that only two social security numbers were exposed, and no banking information has been identified.

Due to the size and complexity of the stolen files, it may take some time for the DSS to fully analyze the data and determine the extent of the breach.

However, as a precautionary measure, the DSS will be sending notifications to all Missouri Medicaid participants who were enrolled in May 2023.

As a response to the breach, the Missouri Department of Social Services advises individuals to freeze their credit to prevent threat actors from opening new accounts or borrowing money using their identities.

The agency also recommends that those affected monitor their credit reports for any unusual activity.

It’s worth noting that the MOVEit Transfer attacks have also affected other state agencies, such as the Louisiana and Oregon Department of Motor Vehicles, who reported in June that millions of state IDs were stolen.