Federal health officials have notified Congress of a data breach that may have included information on more than 100,000 people
Federal health officials have notified Congress of a data breach that may have included information on more than 100,000 people.
A representative for the US Department of Health and Human Services said Thursday that attackers gained access to the department’s data by exploiting a vulnerability in widely used file-transfer software.
Other government agencies, major pension funds and private businesses have also been affected by the alleged supply chain hack by Russian ransomware gang software MOVEit.
The HHS official did not provide details on the type of data affected, but said none of the department’s systems or networks were compromised. Instead, the hackers accessed data managed by third-party vendors, which the official did not name.
HHS told Congress on Tuesday that it considers a “major incident,” which occurs when data on 100,000 or more people is affected, the official said.
The breach of the MOVEit file-transfer program discovered last month is estimated by cybersecurity experts to have compromised hundreds of organizations globally. Confirmed victims include the US Department of Energy, other federal agencies, more than 9 million motorists in Oregon and Louisiana, Johns Hopkins University, Ernst. & Young, BBC and British Airways.
On Wednesday, the Tennessee Consolidated Retirement System said the data of more than 171,000 retirees and beneficiaries was involved in the breach. Last week, California’s public pension fund said the personal data of more than 769,000 retirees and beneficiaries was stolen.
The parent company of Progress Software, the US maker of MOVEit, alerted customers about the breach on May 31 and issued a patch. But cyber security researchers say that by then many – perhaps hundreds – of companies will have quietly siphoned off sensitive data.
The CL0P ransomware syndicate behind the hack has indicated that it will extort victims and threaten to dump their data online if they do not pay.
,
The Associated Press Health and Science Department is supported by the Howard Hughes Medical Institute’s Science and Educational Media Group. AP is solely responsible for all content.
