The latest victim of the MOVEit data breach is the Department of Health and Human Services
Federal health officials have notified Congress of a data breach that could involve the information of more than 100,000 people
Federal health officials have notified Congress of a data breach that could involve the information of more than 100,000 people.
A representative of the U.S. Department of Health and Human Services said Thursday that attackers gained access to the department’s data by exploiting a vulnerability in widely used file-transfer software.
Other government agencies, major pension funds and private businesses also have been affected by a Russian ransomware gang's so-called supply chain hack of the software MOVEit.
The HHS official did not provide details on the type of data affected but said none of the department’s systems or networks were compromised. Instead, the hackers accessed data managed by third-party vendors that the official did not name.
HHS reported to Congress on Tuesday what it considers to be a “major incident,” which occurs when the data of 100,000 people or more is affected, the official said.
The breach of the MOVEit file-transfer program, discovered last month, is estimated by cybersecurity experts to have compromised hundreds of organizations globally. Confirmed victims include the U.S. Department of Energy, other federal agencies, more than 9 million motorists in Oregon and Louisiana, Johns Hopkins University, Ernst & Young, the BBC and British Airways.
On Wednesday, the Tennessee Consolidated Retirement System said the data of more than 171,000 retirees and beneficiaries was involved in the breach. Last week, California’s public pension fund said the personal data of more than 769,000 retired workers and beneficiaries had been stolen.
The parent company of MOVEit’s U.S. maker, Progress Software, alerted customers to the breach on May 31 and issued a patch. But cybersecurity researchers say scores — maybe hundreds — of companies could by then have had sensitive data quietly exfiltrated.
The Cl0p ransomware syndicate behind the hack has indicated that it would extort victims, threatening to dump their data online if they don’t pay up.
___
The Associated Press Health and Science Department receives support from the Howard Hughes Medical Institute’s Science and Educational Media Group. The AP is solely responsible for all content.
