Update September 19, 2023: Since this was first published on Thursday July 27, the total number of organizations affected has climbed from 538 to 1,190 and the number of people affected is nearly 60 million. As the investigation continues, both of these numbers will likely grow.
One of the largest hacks in history is still unfolding and the number of companies and individuals affected keeps climbing. Huge well-known institutions with good reputations have been hit in the U.S. and around the world. The key takeaway from the MOVEit hack is that organizations are inadvertently using software that has vulnerabilities and causes massive breaches when not monitored, patched and updated in time.
The most recent report from New Zealand security firm Emsisoft shows that the MOVEit attack has hit 1,190 organizations and affected almost 60 million people. Honeywell International, Inc., Bristol Myers Squibb, and even the U.S. Department of Health and Human Services (HHS) were affected. The HHS attack was first reported by Bloomberg News.
The sectors hardest hit so far are finance and professional services, and education, which account for 23.7 percent and 18.8 percent of incidents respectively. But healthcare organizations, including hospitals and health insurance plans have also been affected, triggering this Cybersecurity Advisory from the American Hospital Association (AHA).
MOVEit File Transfer Platform Reaches Far and Wide
Emsisoft summarized the situation:
“MOVEit is a file transfer platform made by a company called Progress Software Corporation. The platform is used by thousands of governments, financial institutions and other public and private sector bodies all around the world to send and receive information.
In late May 2023, data started to be transferred from hundreds of MOVEit deployments, however, these were not normal file transfers initiated by legitimate users. MOVEit had been hacked and the data was being stolen by a ransomware operation called Cl0p.”
Another report from German cybersecurity research firm KonBriefing.com lists all the known victims and shows the scope of the MOVEit hack with clear diagram illustrations. KonBriefing notes that Progress Software first published an explanation of the vulnerability and its fix on May 31, 2023, with periodic updates since then.
Some affected organizations were breached when the Russian-language Cl0p group directly attacked their MOVEit transfer software, while others were victimized because Cl0p attacked one or more of their MOVEit-using service providers.
Healthcare in the Public and Private Sector Hit
- So far, the largest health data breach resulting from MOVEit occurred at the Colorado Department of Health Care Policy and Financing, where 4.1 million people were affected due to an attack on IBM which runs Colorado’s Medicaid program.
- The most recent healthcare victims include fourteen North Carolina medical providers who are customers of Nuance Communications, Inc. Nuance which used MOVEit, is a Microsoft company that markets speech recognition and artificial intelligence software.
- Other healthcare victims include healthcare risk adjustment firm Cognisight, Harris Health, a healthcare system in Houston, Johns Hopkins University Health System, the University of Louisville Health System, AltaMed Health Services in Los Angeles, among others.
Preventive Advice for Healthcare
The AHA Cybersecurity Advisory lists twenty specific steps to take to minimize and manage risks posed by the Cl0p ransomware group.
Eight of the steps listed include:
- Disable all HTTP and HTTPs traffic to your MOVEit Transfer environment.
- Review the MOVEit Transfer advisory, follow the mitigation steps, and apply the necessary updates when available, along with the joint FBI/CISA alert.
- Identify other secure file transfer applications, assess their necessity and access, and ensure they are fully patched.
- Review and secure Remote Desktop Protocol (RDP) if you use it.
- Review the security posture of third-party vendors and those interconnected with your organization. Ensure all connections between third-party vendors and outside software or hardware are monitored and reviewed for suspicious activity.
- Provide user training, especially phishing awareness exercises.
- Use multi-factor authentication for passwords and access.
- Install and regularly update antivirus and anti-malware software on all hosts.
Follow the HIPAA Security Rule
All the mitigation steps not specific to MOVEit in the AHA Advisory are contained in a HIPAA Risk Analysis. Use the Security Rule Checklist to make sure your risks are identified and addressed. And remember your third-party vendors are required to have strong cybersecurity defenses in place, and if they are HIPAA business associates, they should have their own policies conduct their own Risk Analysis.