More than 744k Hoosiers on Medicaid affected in contractor software breach

The names, addresses, case numbers and Medicaid numbers of more than 744,000 Hoosiers on Medicaid were exposed in a contractor’s late May security breach, Indiana’s Family and Social Services Administration (FSSA) announced Friday.

Four people’s Social Security numbers were also exposed, FSSA said.

The breach affected file transfer software MOVEit, used by Indiana’s health coverage programs enrollment broker Maximus Health Services. But Maximus also manages and administers other government programs at the federal and local levels.

Maximus said it “detected unusual activity” in its MOVEit application on May 30, according to a sample letter sent to the 612,000 Medicare beneficiaries affected nationwide in the same breach.

On May 31, MOVEit developer Progress Software Corp. announced that a vulnerability in the software had let an unauthorized third-party gain access. That day, Maximus halted its use of MOVEit, according to the letter.

In a July 26 report to the U.S. Securities and Exchange Commission, Maximus said the files of at least 8 million to 11 million people had been impacted nationwide. The company said it would notify those people of the breach, and offer them free credit monitoring and identity restoration services.

But Maximus is far from the only organization using MOVEit. The breach has impacted K-12 schools, universities, motor vehicle authorities, pension management organizations and more, according to Reuters.

The total number of people impacted could be 40 million or more, according to cyber analyst tallies corroborated by Reuters. And Cl0p, the group behind the hack, is slowly leaking their data.