Data Breaches Reported by State of Maine, Affinity Legacy, The Charles Lea Center and Detroit Chassis

State of Maine Data Breach Impacts 450,000 Records

The State of Maine has reported the theft of the protected health information (PHI) of 453,894 persons in the latest mass exploitation of a zero-day vulnerability in the MOVEit Transfer solution by Progress Software. Progress Software introduced a patch to resolve the vulnerability on May 31, 2023; even so, the vulnerability was already exploited. According to the investigation by the State of Maine, the Clop hacking group exploited the vulnerability between May 28, 2023 and May 29, 2023, and sensitive information was stolen.

The breach only affected the MOVEit server and did not compromise any other systems. The Clop hacking group stated that they merely wanted to hack businesses and that they would erase all information stolen from governments; nevertheless, the State of Maine is telling all impacted persons to disregard those statements and take action to secure themselves against fraudulence. The people impacted were probably Maine residents, and workers, or might have gotten services from or collaborated with a state organization. Maine additionally joins data-sharing agreements with other companies to improve the services it provides to locals and the public.

The data compromised would be determined by the interactions with state organizations. All impacted people whose Social Security numbers or taxpayer ID numbers were stolen received two years of free credit monitoring and identity protection services.

MOVEit Hack Impacts Affinity Legacy Inc.

Affinity Legacy Inc., earlier known as Affinity Health Plan, Inc., has reported that it was impacted by the MOVEit Transfer hacks that happened lately. The breach happened at a business associate offering claims processing services and utilized the software solution to transfer files.

The vulnerability exploitation happened from May 30 to June 2, 2023, and on June 21, 2023, the vendor confirmed that the attackers downloaded some files that included the PHI of 5,538 persons who were Affinity Health Plan members before 2019, or EmblemHealth Medicare Advantage Plan members after 2019. The stolen information contained names, addresses, birth dates, Social Security numbers, medical diagnosis codes and/or Medicare numbers. Free personal identity and privacy protection services were provided to the impacted persons.

Ransomware Attack The Charles Lea Center

Non-profit organization, The Charles Lea Center based in Spartanburg County, SC, recently informed 1,250 people about the compromise of some of their data in a ransomware attack in June 2023. The incident was discovered on June 19, 2023 after noticing a part of its system was encrypted. The threat actor issued a ransom demand claiming that some files from its systems were exfiltrated.

Although the forensic investigation cannot identify the exact types of data that were compromised, the file analysis confirmed on October 2, 2023, that the breached files included names, Social Security numbers, birth dates, and certain medical treatment data. The Charles Lea Center has provided the impacted persons with free credit monitoring services and has instructed them to keep track of their financial account statements routinely for indications of fraud. The Charles Lea Center stated it had taken action to make sure the privacy of information prior to the attack and will be enhancing those measures to improve security.

Data of Detroit Chassis Health Plan Member Exposed

Niche vehicle manufacturing solutions company, Detroit Chassis in Michigan, suffered a sophisticated cyberattack that happened on or about March 12, 2023. Upon discovery of the attack, the provider took immediate action to protect its systems and engaged third-party cybersecurity specialists to investigate. According to the investigation, the attackers acquired access to parts of its system that included the information of 958 health plan members, which was saved on an email server that was about to be decommissioned.

As per Detroit Chassis, there is a reason to believe that the data was not subjected to unauthorized acquisition, however, the possibility is not ruled out. The server included data like names, addresses, birth dates, driver’s licenses, Social Security numbers, financial account data, credit card numbers, passport numbers, state ID numbers, usernames and access data for non-financial accounts, health data, medical insurance numbers and data associated with its employee prescription benefits plan.

Medical Records Theft During Lakeview Healthcare System Break-in

On September 29, 2023, Lakeview Healthcare System in central Florida encountered a break-in at its Fern Drive site in Leesburg. The break-in happened about 5 a.m. and the intruder stole three password-secured mobile gadgets and health records that included the PHI of patients. The paper documents contained data like names, addresses, billing data, diagnosis, and treatment data.

Lakeview Healthcare System stated it has carried out remediation efforts to reduce the risk of identical incidents later on, has evaluated its security guidelines and procedures, and has re-trained the employees about data security and secure document keeping. Physical security steps are being evaluated at every location, which include utilizing more shred bins, replacing physical locks, and applying extra access controls to enable quicker and more exact termination of access.

The breach report was submitted to the HHS’ Office for Civil Rights as impacting 2,495 persons.