Cyber Incident Victim: City of Temple Terrace Fire Department

On or around May 30, 2023, an unknown actor accessed the MOVEit Transfer server belonging to EMS Management and Consultants, Inc. (EMS|MC), the billing services provider for the City of Temple Terrace Fire Department. The actor exfiltrated certain data from this server. This incident was part of a larger, national compromise of the MOVEit Transfer tool, a product of Progress Software Corp., which was publicly disclosed by the company on May 31, 2023. The vulnerability within the MOVEit tool was the entry point exploited by the threat actor to gain unauthorized access to the server containing data processed by EMS|MC.

Following the public disclosure of the MOVEit vulnerability, EMS|MC was notified and moved quickly to apply the available patch to the compromised tool. The company also undertook all recommended mitigation steps provided by the software vendor. EMS|MC promptly launched a formal investigation into the potential impact of the incident on its systems and the data it held. This investigation was conducted with the assistance of third-party cybersecurity specialists to ensure a thorough examination.

The investigation by EMS|MC determined that the unauthorized access and data exfiltration event occurred specifically on May 30, 2023. To understand the full scope and nature of the data taken, EMS|MC then engaged a separate, third-party data analysis firm. This firm performed a detailed review of the involved data to identify its specific contents and to determine which individuals were related to the information. Through this meticulous review, EMS|MC learned that the data set accessed by the actor included information related to approximately 700 patients who had been treated and/or transported by the City of Temple Terrace Fire Department.

The types of information impacted for these Temple Terrace patients were identified as name, date of service, medical treatment location (specifically the destination hospital), and medical record number. An initial communication from EMS|MC erroneously stated that Social Security numbers and dates of birth were also involved in the breach. However, the subsequent detailed data analysis confirmed this initial assessment was incorrect; those specific data elements were not present in the exfiltrated information. EMS|MC committed to issuing a revised and corrected notification letter to the affected individuals.

EMS|MC undertook notification procedures by mailing letters to all affected individuals for whom the company had a valid mailing address. The notification explained the nature of the incident and the specific data elements involved. While EMS|MC stated it was unaware of any actual misuse of the information stemming from this incident, the company provided potentially affected individuals with steps they could take to help protect their information should they feel it necessary to do so. To assist those impacted, EMS|MC established a dedicated, toll-free call center to respond to inquiries about the incident. It also created a dedicated webpage to host additional information about the event and to offer guidance on how individuals could help protect their personal information.

The parent company of the affected software, Progress Software Corp., issued statements regarding the broader MOVEit vulnerability. The company explained that taking its MOVEit Cloud service offline was a defensive measure and not in response to any observed malicious activity. Progress stated its product teams and a third-party forensics partner had reviewed the vulnerability and associated patch and deemed that the issue had been addressed. The fix was applied to all MOVEit Cloud clusters and made available for MOVEit Transfer customers. Progress also noted that the third party’s public disclosure of the vulnerability did not follow normal industry standards and, in doing so, put customers at increased risk of exploitation. The primary consequence for the City of Temple Terrace Fire Department was a compromise of certain patient information, though the scope of exposed data was more limited than initially feared, excluding highly sensitive identifiers like Social Security numbers. The operational impact on the fire department itself appeared to be indirect, as the breach occurred at the level of its third-party service provider, which managed the billing and related data processing. The provider, EMS|MC, handled the direct response, including investigation, analysis, and consumer notification duties.