Maximus, a U.S. government services contracting company, has confirmed that hackers exploited a vulnerability in MOVEit Transfer, resulting in unauthorized access to the protected health information of as many as 11 million individuals.
The company contracts with federal, state, and local governments to manage government-sponsored programs like Medicaid and Medicare. The breach is believed to be the largest healthcare data breach of the year and the most significant one stemming from the MOVEit mass-hacks.
While the exact number of impacted individuals is yet to be confirmed, Maximus estimates that at least 8 to 11 million individuals’ personal data, including Social Security numbers and protected health information, were accessed. The security incident is expected to cost the company around $15 million for investigation and remediation. The hackers, known as the Clop group, claim to have stolen 169 gigabytes of data from Maximus, but they have not yet published it.
The MOVEit Transfer hacks have affected hundreds of organizations, including accountancy giant Deloitte and global sports betting provider Flutter. Both companies have confirmed being impacted but stated that the scope of the breach is limited in their cases.
The Clop group has listed other victims on its dark web leak site, including accountancy firms PwC and Ernst & Young, as well as Pensions Benefit Information, which provides pension plan management services to various industries. T
he MOVEit mass-hacks have affected over 500 organizations, exposing the personal information of more than 34.5 million people, according to cybersecurity company Emsisoft.