Cyber Incident Victim: Data Media Associates

On or around May 31, 2023, Data Media Associates, LLC (DMA), a provider of printing, mailing, and healthcare billing fulfillment services, was impacted by a global cybersecurity incident involving a critical vulnerability in the MOVEit Transfer software. This managed file transfer solution was used by DMA to securely transfer data on behalf of its healthcare organization clients. The company became aware of the incident in June 2023 upon an alert issued by the Cybersecurity and Infrastructure Security Agency (CISA) addressing the vulnerability. The breach occurrence dates were subsequently determined to be May 31, 2023, to June 1, 2023. DMA took immediate steps to patch its MOVEit system in accordance with the software developer's instructions following the CISA alert.

DMA thereafter initiated a comprehensive investigation with the assistance of leading external experts to determine the scope of the incident and any potentially affected data. This investigation concluded on June 30, 2023, which was also the date the breach was officially discovered. The investigation revealed that certain data stored within the MOVEit application may have been acquired without authorization. The unauthorized acquisition was a direct result of the exploitation of the MOVEit software vulnerability and was not due to a breach of systems directly operated by DMA's clients.

The total number of individuals affected by the incident at DMA was 74,730. This figure included 131 residents of the state of Maine. The information involved varied by individual but potentially included protected health information. For a subset of affected individuals, specifically patients of the UB Dental Clinic, the compromised data included practice demographics, patient account number, patient name, guarantor demographics, statement date, amount due, service date, service or payment descriptions, charge amount, payments, or adjustments. The UB Dental Clinic reported that 765 of its patients were impacted. For other individuals, the notification letter indicated the information involved may have included a name or other personal identifier in combination with a Social Security Number. It was explicitly confirmed that for UB Dental patients, no credit card information or Social Security Numbers were part of the breach.

Beginning on August 23, 2023, DMA commenced its consumer notification process by issuing written notification letters to affected individuals. The notification provided details of the incident and the steps individuals could take to protect themselves. A dedicated call center was established to answer questions, operational from 9:00 AM to 9:00 PM Eastern Time, Monday through Friday. DMA also worked to provide notice to its partner organizations, such as the UB Dental Clinic, which began notifying its specific patients directly by mail the week of August 16, 2023.

In response to the incident, DMA stated it had taken all remediation measures recommended by the MOVEit software developers. The company also committed to evaluating additional safeguards to further enhance the security of the data entrusted to it. As part of its response, DMA offered identity theft protection services to affected individuals. These services were provided by IDX and included 12 months of credit monitoring, identity protection and restoration services, and a $1,000,000 insurance reimbursement policy.

The incident had operational consequences for DMA, requiring an investigation and remediation effort, and necessitating a large-scale consumer notification and support operation. For the affected individuals, the primary impact was the potential unauthorized access to their sensitive personal and health information, which exposed them to an increased risk of identity theft and fraud. The company apologized for any worry or inconvenience the incident may have caused. The breach was one of an estimated 2,500 organizations worldwide affected by the same MOVEit software vulnerability, indicating the attack was part of a widespread exploit rather than a targeted attack on DMA specifically. No systems directly operated or maintained by DMA's clients, such as those at the UB Dental Clinic, were breached or compromised.