Cyber Incident Victim: Harris Health System
Date:
May 2023
Location:
United States of America
Summary
Harris Health System experienced a data breach when cybercriminals exploited a vulnerability in its MOVEit file transfer software. The unauthorized access resulted in the download of files containing protected health information, which included names, Social Security numbers, government IDs, health insurance details, and treatment information. The incident did not impact the system's electronic medical records or disrupt patient care operations. The organization responded by implementing security patches and offering credit monitoring to affected individuals.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or about May 28, 2023, an unauthorized actor accessed the MOVEit file transfer server utilized by Harris Health System, a healthcare provider based in Bellaire, Texas. This access was made possible by a vulnerability within the MOVEit software itself. The threat actor successfully downloaded certain files from this system during the breach. The health system’s own electronic medical records were not impacted by this incident, and the attack was isolated to the MOVEit server, which operates independently from other internal systems. Patient care, services, and overall operations at Harris Health System were not affected, and the network remained fully functional and operational throughout.
Harris Health System first became aware of a potential issue on June 2, 2023, when it learned of the vulnerability in the MOVEit software that had been disclosed by its provider. Upon this discovery, the organization immediately implemented available security safeguards to address the specific vulnerability and to secure its MOVEit server. A prompt investigation was launched with the assistance of third-party cybersecurity experts to determine the nature and scope of the event. This investigation confirmed that the unauthorized access and file exfiltration had occurred several days prior, on May 28.
The detailed review of the downloaded files was undertaken to identify what specific information was compromised and which individuals were affected. The investigation determined that the incident involved protected health information and other personal data of certain patients and employees. The information varied by individual but potentially included names, addresses, dates of birth, Social Security numbers, medical record numbers, immigration status, driver’s license numbers or other government-issued identification numbers, and health insurance information. Furthermore, the files contained information related to care received at Harris Health, such as procedure details, treatment cost, diagnosis, medications, provider names, and dates of service. The health system stated it believed the compromised data did not include patient bank or other financial account information.
The breach was not all-encompassing; it only affected those individuals whose information was contained within the specific files downloaded from the MOVEit server. Harris Health System did not publicly disclose the exact number of patients and employees impacted by this event. However, the health system's published volume statistics from fiscal year 2022 suggest a potentially large scope, given the scale of its operations, which included over 40,000 hospital bed cases, 4,800 births, 147,000 emergency visits, 1.6 million outpatient clinic visits, and 18,000 total surgery cases.
In response to the incident, Harris Health System took several remediation steps. The organization implemented all patches made available by the provider of the MOVEit software to address the vulnerability and took additional actions to secure its MOVEit server. The health system committed to continuing to look for ways to enhance its secure file transfer protocols to prevent a similar event from occurring in the future. As required by law, Harris Health System also began the process of directly notifying individuals whose information was identified during its review and for whom it had sufficient contact information.
Notification letters were mailed to affected individuals beginning on July 21, 2023. For those whose Social Security numbers were involved in the breach, Harris Health System offered complimentary credit monitoring and identity theft protection services. A dedicated, toll-free call center was established to answer questions from patients and employees. The call center, reachable at 866-347-7885, operates Monday through Friday from 8 a.m. to 5:30 p.m. Central Time, excluding holidays. Individuals who believed they were affected but did not receive a letter by August 31, 2023, were instructed to contact this number.
This cybersecurity event was part of a much broader attack campaign targeting a zero-day vulnerability in the MOVEit managed file transfer software. Harris Health System was one of numerous organizations across the United States and around the world affected by this widespread exploitation, which also impacted other major entities including Johns Hopkins University and Health System, several U.S. government networks, and private sector companies like Genworth Financial. The California Public Employees Retirement System (CalPERS), the nation's largest public pension fund, also reported being a victim, attributing the attack to Russian cybercriminals and noting that the stolen data included sensitive personal information for hundreds of thousands of individuals. The incident at Harris Health System is therefore a single instance of a global cyberattack exploiting a common software vulnerability.