Missouri’s Division of Social Companies warns that protected Medicaid healthcare data was uncovered in a data breach after IBM suffered a MOVEit information theft assault.
The assault was performed by the Clop ransomware gang, who started hacking MOVEit Switch servers on Could twenty seventh utilizing a zero-day vulnerability tracked as CVE-2023-34362.
These assaults allowed the menace actors to steal information from over 600 firms worldwide, together with firms, instructional orgs, federal authorities businesses, and native state businesses.
The ransomware gang is predicted to make $75-100 million from these assaults.
Missouri well being information uncovered
Yesterday, the Missouri Division of Social Companies disclosed a data breach that uncovered well being data associated to Medicaid companies within the state.
“The Missouri Division of Social Companies (DSS) is responding to a Could 2023 information security incident that occurred with IBM Consulting (IBM) that concerned Progress Software program’s MOVEit Switch software program,” reads the DSS data breach notification.
“IBM is a vendor that gives companies to DSS, the state company that gives Medicaid companies to eligible Missourians. The information vulnerability didn’t straight influence any DSS methods, however impacted information belonging to DSS. DSS took speedy steps in response to this incident which can be ongoing.”
IBM confirmed to BleepingComputer yesterday that their MOVEit Switch server was breached in these assaults, permitting information theft.
“IBM has labored in partnership with the Missouri Division of Social Companies to find out and reduce the influence of the incident involving MOVEit Switch, a non-IBM information switch program supplied by Progress Software program,” IBM informed BleepingComputer in an announcement.
“Upon receiving a security bulletin from Progress, we severed interplay of MOVEit Switch with the division’s IT methods to keep away from any additional influence to Missouri residents and their information. No IBM methods had been impacted.”
After analyzing the stolen information, DSS confirmed that it contained protected well being data for Medicaid members in Missouri.
“The knowledge concerned on this incident could embody a person’s title, division consumer quantity (DCN), date of start, doable profit eligibility standing or protection, and medical claims data,” explains the DSS notification.
“DSS continues to be reviewing the information related to this incident. This may take us a while to finish. These information are giant, should not in plain English, and should not simply readable due to how they’re formatted.”
The company informed BleepingComputer that the investigation has revealed that solely two (2) social security numbers had been uncovered and no banking data has been recognized.
DSS warns that as a result of dimension of the stolen information and the way they’re formatted, it could take a while to investigate the information and totally decide the scope of the data breach.
Nonetheless, DSS informed BleepingComputer that out of an abundance of warning they’re sending notifications to all Missouri Medicaid members that had been enrolled in Could of 2023.
The Missouri Division of Social Companies means that people freeze their credit score to forestall menace actors from opening new accounts or borrowing cash underneath their title.
The company additionally recommends that these impacted monitor their credit score stories for uncommon exercise.
The MOVEit Switch assaults have impacted different state businesses, together with the Louisiana and Oregon Division of Motor Automobiles, who warned in June that hundreds of thousands of state IDs had been stolen.
