Already responsible for a devastating loss of sensitive personal data, the MOVEit data breach continues to expand with the news that a Medicaid/Medicare government contractor lost somewhere around 10 million records of health data.
The stolen information reportedly contains patient records and Social Security numbers, though it is still not clear if all of the 8 to 11 million records contain the same level of health data. The government contractor, Maximus, administers portions of Medicare and Medicaid among other assorted federal, state and local programs. As with the other elements of the MOVEit data breach, Russian ransomware group Cl0p is responsible and is threatening to dump 169 gigabytes of stolen data to the public if a payment is not negotiated.
Stolen health data adds to already long list of exposed identification documents
The MOVEit data breach has now been going on for months, as Cl0p slowly ransoms one compromised organization after another. It is still not known how many victims there are, with some research by security analysts indicating there were at least 2,500 exposed servers on the internet. Thus far Cl0p has hit at least 500 victims, including state government agencies that have yielded masses of driver’s license and identification documents.
Cl0p’s approach with the MOVEit data breach has been very careful and clever. The group appears to have found a set of vulnerabilities earlier in the year and quietly exposed them without tipping off security researchers, veering from its usual strategy of deploying ransomware to simply extort victims with the data they have already hoarded. But even before this campaign, the group had established a pattern of attacking both file transfer services and government contractors as a quick central source of huge amounts of identity, financial and health data.
A patch was made available in early June, with several follow-up patches appearing into early July. The problem with the MOVEit data breach is that these patches have to be manually applied, and it may already be too late for some victim organizations by the time they get to it.
Government contractor one of the biggest, but certainly not the last victim of MOVEit data breach
The breach of the government contractor is among the biggest incidents to stem from the MOVEit data breach, and it is estimated to cost the company at least $10 million to remediate. But with literally thousands of potential victims still out there, the worst may still be yet to come.
In total, security researchers estimate that over 34 million records of personal information have been leaked as a result of the MOVEit data breach. The government contractor is one of the parties offering victims free credit monitoring, and will be reaching out to them directly if their contact information is current. Health data is particularly prized by cyber criminals as it offers a lot of exploitable information in a concise package, and medical records often command very high prices on underground data trading forums.