A sweeping series of data breaches involving the file transfer software product MOVEit has affected at least 88 provider organizations.
Many providers have disclosed breaches relating to Progress Software’s MOVEit program, according to data from security firm Emsisoft. The vulnerability was first discovered by Progress in May. A number of individual breaches have been subsequently reported.
Read more: Healthcare data breach costs keep climbing: report
MOVEit transfers large files, potentially including sensitive documents. A ransomware gang began exploiting a vulnerability in the software to steal data, according to a U.S. Cybersecurity and Infrastructure Security Agency news release.
“This isn't simply people's logins, passwords or even social security numbers,” said Brett Callow, a threat analyst at Emsisoft. “It’s a mix of health records, legal records stolen from law firms, information stolen from government, information stolen from banks, so it really is cross sector and a huge variety of data.”
The breach has affected more than 1,000 organizations and 60 million individuals, Emsisoft said in a blog post. Progress Software said in a statement it worked quickly to provide initial mitigation strategies and deployed a patch on May 31 that fixed the issue after discovering the vulnerabilities.
Around 10% of the records accessed in the breach are from healthcare organizations, according to Callow. The breaches at healthcare organizations account for more than 1.3 million individuals, but the number is likely much higher as only 14 of the 88 providers included user estimations.
Houston-based Harris Center for Mental Health and IDD as well as Baltimore, Maryland-based Johns Hopkins Medicine were among the healthcare providers with the most individuals compromised. In both cases, the providers reported breaches involving patient billing, health insurance and clinical information.
Harris had no comment. Johns Hopkins, whose university was also impacted, said in a statement it took immediate steps to secure its systems and is working with cybersecurity experts and law enforcement.
In July, the U.S. Department of Health and Human Services and Centers for Medicare and Medicaid Services said approximately 612,000 current Medicare beneficiaries were affected by the breach from third-party contractor Maximus.
“It was really just a matter of which sectors were using this particular platform,” Callow said.
Cybersecurity threats to healthcare organizations have grown exponentially in the last few years, according a July report from managed security company Trustwave. Nearly 25% of cyberattacks in 2022 targeted the healthcare industry, according to data cited in the report. Data security overall is a challenge to healthcare that's bordering on a crisis, the report cautioned.