Officials at the UMass Chan Medical School learned about the “security incident” on June 1, making them the latest government-related institution to confirm it had fallen victim to a hack that has affected millions of people and scores of agencies around the world.
School officials “immediately fixed the vulnerability” and said the breach involved a file-transfer software program called MOVEit.
“No UMass Chan or state systems were compromised in this incident. Impacted individuals have been sent notice by mail and will be contacted by phone, text, and e-mail where possible,” the Executive Office of Health and Human Services said in a statement.
The Healey administration said it started sending letters to affected individuals on Monday and encouraged those who receive one to “protect their information,” monitor their financial account statement, and enroll in credit monitoring or identity theft protection.
“The letter explains what data was impacted for each individual, the actions taken in response to the MOVEit incident and detailed steps that individuals can take to protect their information,” the state said.
Information involved in the data security breach varies by person, according to the state, but could include names, date of birth, social security numbers, sensitive health information, mailing addresses, and financial account information.
UMass Chan Medical said it plans to offer free credit monitoring and identity theft protection services to people who had their social security numbers or financial information leaked as part of the security breach.
The medical school provides services to the state for a handful of programs including MassHealth, the state supplement program, family resource centers, the Executive Office of Elder Affairs, and aging services access points.
Impacted individuals are a subset of current or recent participants in those programs, the Executive of Health and Human Services said.
After learning of the third-party software breach in June, the medical school “identified the files that may have been subject to unauthorized acquisition as a result of the MOVEit security flaw.”
“On July 27, 2023, UMass Chan determined that some of these files contained information pertaining to individuals who received services from EOHHS,” the state said.
MOVEit, a file transfer program made by Progress Software Corporation, is used by thousands of government agencies, private companies and financial institutions.
The hack of the program was first discovered in May when a data transfer was initiated by the ransomware group known as C10p, according to Emisoft, a malware protection company that analyzes the industry.
Nearly 700 organizations and 46 million individuals are tied up in the breach, according to Emisoft.
“Some of the organizations impacted provide services to multiple other organizations, and so the numbers above are likely to increase significantly as those organizations start to file notifications,” Emisoft said in a writeup of the data breach.
©2023 MediaNews Group, Inc. Distributed by Tribune Content Agency, LLC.
