Missouri says some Medicaid health information was compromised in MOVEit breach

Missouri’s Department of Social Services (DSS) this week became the latest state agency to confirm it had data stolen through a vulnerability affecting the MOVEit file transfer tool.

A DSS spokesperson would not say how many people were affected but said they will be sending notices to “all Missouri Medicaid participants and providers that were enrolled in May of 2023.”

In a statement released Tuesday, officials said they were notified by IBM on June 13 that Medicaid participants’ protected health information was accessed by hackers.

The information includes names, department client numbers, dates of birth, status of coverage and medical claim information. The notice does not mention it, but a DSS spokesperson told Recorded Future News that two social security numbers were identified in the batch of information.

The department uses IBM Consulting for a range of technology-focused services. An IBM spokesperson told Recorded Future News that the MOVEit file transfer software is “used in a small number of consulting engagements, with less than a handful having any personal data impacted.”

“IBM systems were not impacted by the breach. The Missouri Department of Social Services (DSS) used MOVEit Transfer, a non-IBM product, provided by a third-party supplier under an engagement with IBM Consulting to transfer files wherever they needed to go, not to IBM,” the spokesperson said.

“IBM has worked in partnership with the Missouri Department of Social Services to determine and minimize the impact of the incident involving MOVEit Transfer, a non-IBM data transfer program provided by Progress Software. Upon receiving a security bulletin from Progress, we severed interaction of MOVEit Transfer with the department’s IT systems to avoid any further impact to Missouri citizens and their data.”

The department is the state agency that provides Medicaid services to eligible Missourians and said it would contact those who are affected. It is still analyzing a copy of the files that were accessed by the Clop ransomware gang, which has been the primary group exploiting the MOVEit vulnerability.

“Due to the size and formatting of the files, it will take some time to complete this analysis. While this analysis is ongoing, DSS is sending letters to those individuals who are potentially impacted by this incident so that they can take steps to protect their personal information,” the agency said.

“Even though our investigation is ongoing, individuals can take steps now to freeze their credit for free, which stops others from opening new accounts and borrowing money in their name, while allowing them to continue to use existing credit cards or bank accounts.”

Missouri was one of the first states to come forward and announce being affected by the vulnerability when it said its Office of Administration, Information Services and Technology Division was affected.

Since the bug emerged at the end of May, hundreds of businesses, governments and nonprofits have said their data was stolen by hackers, including companies like the National Student Clearinghouse (NSC), the Teachers Insurance and Annuity Association of America (TIAA) and PBI Research Services – institutions that are connected to thousands organizations across the world.

Emsisoft, which has been tracking the incident, said so far 617 organizations have either come forward to announce breaches or been posted on the Clop ransomware gang’s leak site.

So far, the breaches with the largest number of victims include 11 million people affected through government service provider Maximus, six million from Louisiana Office of Motor Vehicles, 3.5 million from Oregon Department of Transportation and 2.6 million from TIAA.

So far more than 75% of victims are from the U.S., according to Emsisoft.

On the sidelines of the Black Hat cybersecurity conference, Dustin Childs – head of threat awareness at Trend Micro’s Zero Day Initiative – told Recorded Future News that the zero day vulnerability affecting MOVEit was one of the biggest in 2023.

“It stands out because it shows that attackers aren't just targeting your perimeter. They're not just targeting your desktop. They're targeting the stuff that is in the very soft middle. We've got a very crunchy outside but really soft and nuggety inside,” he said.

“Attackers – especially the ransomware crews – are gonna start looking at those [file transfer zero days] because people are getting a little smarter with not clicking on stuff and not responding to the scam emails. And by the way, MOVEit is not the only product in that field. There are other file transfer appliances out there. How secure are they? I would imagine if you've got a file transfer appliance, it's probably a target.”