Cyber Incident Victim: Medical College of Wisconsin
Date:
May 2023
Location:
United States of America
Summary
The Medical College of Wisconsin experienced a data breach involving unauthorized access to its third-party MOVEit Transfer solution, which was exploited through a vulnerability in the software. The incident resulted in the potential exfiltration of personal information stored on the affected server, though the organization confirmed no compromise of its broader network. Upon notification of the vulnerability, the institution engaged third-party professionals to investigate and remediate the issue, later determining that specific files had been accessed. Impacted individuals were offered complimentary credit monitoring services, though no identity or financial fraud linked to the breach had been reported at the time of disclosure.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On May 31, 2023, the Medical College of Wisconsin (MCW) was notified by a third-party vendor regarding a security vulnerability in the MOVEit Transfer solution utilized by the institution. This vulnerability had been actively exploited by unauthorized actors to access data stored on MCW’s MOVEit server. MCW confirmed the MOVEit software vendor had acknowledged the vulnerability and released patches to remediate the exploit. The college immediately initiated mitigation efforts, including engaging third-party professionals to investigate the incident and assess the scope of potential data compromise. MCW’s broader network security remained uncompromised during the incident. On September 21, 2023, the investigation revealed that certain files containing personal information were potentially exfiltrated from the MOVEit server by an unauthorized party on May 27, 2023. The accessed data included variable personally identifiable information (PII), though specific data elements or volumes were not disclosed in the notification.
MCW confirmed no direct evidence of identity fraud or financial fraud stemming from the incident as of the notification date. In response, the institution offered affected individuals a complimentary ##-month membership of Experian IdentityWorks credit monitoring, identity restoration services, and $1 million identity theft insurance. The college established a dedicated toll-free response line to address inquiries and provided detailed guidance on fraud alerts, security freezes, credit report monitoring, and medical information protection measures. MCW reiterated its commitment to evaluating third-party vendor relationships and enhancing internal security controls to prevent future incidents. Notification letters were dispatched on November 14, 2023, outlining remediation steps and regulatory resources for residents of specific states including Iowa, Maryland, New York, North Carolina, Oregon, and Washington D.C. The institution emphasized ongoing vigilance through periodic credit report reviews and collaboration with law enforcement or the Federal Trade Commission if suspicious activity occurred.