Update December 17, 2023: Since this was first published on July 27, the number of organizations affected has climbed from 538 to 2,686, and the number of people affected is over 90 million.
One of the largest hacks in history is still unfolding, and the number of companies and individuals affected keeps climbing. Huge, well-known institutions with good reputations have been hit in the U.S. and worldwide. The key takeaway from the MOVEit hack is that organizations inadvertently use software that has vulnerabilities and causes massive breaches when not monitored, patched, and updated.
As of mid-December 2023, a report from New Zealand security firm Emsisoft shows that the MOVEit attack has hit 2,686 organizations and affected over 90 million people. Honeywell International, Inc., Bristol Myers Squibb, and even the U.S. Department of Health and Human Services (HHS) were affected. Bloomberg News first reported the HHS attack.
The sectors hardest hit so far are finance, professional services, and education. However, healthcare organizations, including hospitals and health insurance plans, have also been affected, triggering this Cybersecurity Advisory from the American Hospital Association (AHA).
MOVEit File Transfer Platform Reaches Far and Wide
Emsisoft summarized the situation:
“MOVEit is a file transfer platform made by a company called Progress Software Corporation. The platform is used by thousands of governments, financial institutions and other public and private sector bodies all around the world to send and receive information.
In late May 2023, data started to be transferred from hundreds of MOVEit deployments, however, these were not normal file transfers initiated by legitimate users. MOVEit had been hacked and the data was being stolen by a ransomware operation called Cl0p.”
Another report from German cybersecurity research firm KonBriefing.com lists all the known victims and shows the scope of the MOVEit hack with clear diagram illustrations. KonBriefing notes that Progress Software first published an explanation of the vulnerability and its fix on May 31, 2023, with periodic updates since then.
Some affected organizations were breached when the Russian-language Cl0p group directly attacked their MOVEit transfer software. At the same time, others were victimized because Cl0p attacked one or more of their MOVEit-using service providers.
Healthcare in the Public and Private Sector Hit
- Two of the largest three MOVEit data breaches, as of mid-December 2023, occurred at healthcare organizations: Welltok, Inc., affecting nearly 8.5 million patients, and Delta Dental of California, affecting approximately 7 million.
- The largest MOVEit data breach so far happened to U.S. government contractor Maximus, affecting 11.3 million individuals.
- Another massive health data breach resulting from MOVEit occurred at the Colorado Department of Health Care Policy and Financing, where 4.1 million people were affected due to an attack on IBM, which runs Colorado’s Medicaid program.
- Recent healthcare victims include fourteen North Carolina medical providers who are customers of Nuance Communications, Inc. Nuance, which used MOVEit, is a Microsoft company that markets speech recognition and artificial intelligence software.
- Other healthcare victims include healthcare risk adjustment firm Cognisight, Harris Health, a healthcare system in Houston, Johns Hopkins University Health System, the University of Louisville Health System, and AltaMed Health Services in Los Angeles, among others.
Preventive Advice for Healthcare
The AHA Cybersecurity Advisory lists twenty steps to minimize and manage risks the Cl0p ransomware group poses.
Eight of the steps listed include:
- Disable all HTTP and HTTPs traffic to your MOVEit Transfer environment.
- Review the MOVEit Transfer advisory, follow the mitigation steps, and apply the necessary updates when available, along with the joint FBI/CISA alert.
- Identify other secure file transfer applications, assess their necessity and access, and ensure they are fully patched.
- Review and secure Remote Desktop Protocol (RDP) if you use it.
- Review the security posture of third-party vendors and those interconnected with your organization. Ensure all connections between third-party vendors and outside software or hardware are monitored and reviewed for suspicious activity.
- Provide user training, especially phishing awareness exercises.
- Use multi-factor authentication for passwords and access.
- Install and regularly update antivirus and anti-malware software on all hosts.
Follow the HIPAA Security Rule
A HIPAA Risk Analysis contains all the mitigation steps in the AHA Advisory. Use the Security Rule Checklist to identify and address your risks. Remember that your third-party vendors must have robust cybersecurity defenses in place. If they are HIPAA business associates, they should have their own policies and conduct their own Risk Analysis.