Cyber Incident Victim: American Board of Internal Medicine

On or around May 30, 2023, the American Board of Internal Medicine (ABIM) experienced a data breach as a result of a widespread cybersecurity incident involving a third-party file transfer service. The incident was a consequence of external actors exploiting a zero-day vulnerability in the MOVEit Transfer software, a Secure File Transfer Program (SFTP) utilized by ABIM. The organization was among approximately 800 entities potentially affected by this global attack, which targeted over 2,500 known SFTP servers. The breach was officially discovered by ABIM on May 31, 2023, the day after the initial compromise occurred. The attack was characterized as an external system breach, specifically a hacking incident.

Upon discovery, ABIM’s security team immediately shut off the file transfer process connected to the MOVEit service and initiated an investigation. The attack was determined to be limited solely to the file transfer service itself; no other internal ABIM data systems were impacted or compromised. All of ABIM's data systems are monitored twenty-four hours a day, seven days a week, for potential cyberattacks and employ multiple layers of security, but this particular vulnerability was exploited within the third-party application. ABIM engaged with information security experts and partnered with a leading cyber forensic company to undertake an extensive investigation to learn exactly what happened and to determine the full scope of the incident.

The investigation revealed that the personal information of a significant number of individuals was exposed. The total number of persons affected, including residents from all states, was 13,361. Specifically, the personal data of 30 Maine residents was compromised in the breach. The information acquired by the attackers consisted of names or other personal identifiers in combination with Social Security Numbers. This data was exfiltrated from the MOVEit Transfer system during the exploitation of the vulnerability.

ABIM uses the MOVEit Transfer service to securely exchange information with other organizations that provide core business operations related to the initial certification and maintenance of certification for physicians. The most common use of the program was to support the “CME for MOC” collaboration with one of its third-party vendors, facilitating the secure transfer of files necessary for these business operations. The breach was unrelated to the ABIM Physician Portal or its sign-in credentials, meaning user account passwords for that system were not directly exposed in this event.

In response to the confirmed data exposure, ABIM began preparing to notify affected individuals. The organization stated it would contact anyone identified as being directly affected by the incident in the coming weeks following the initial discovery. The formal method of notification for all affected individuals, including Maine residents, was written notice. The date scheduled for the consumer notifications was July 25, 2023. For those individuals whose data was exposed, ABIM offered identity theft protection services at no charge to mitigate potential harm. These services were provided through IDX and included Single Bureau Credit Monitoring, fraud consultation, and identity theft restoration services.

The primary impact of the incident was the potential exposure of highly sensitive personal information, specifically Social Security numbers combined with names, for over thirteen thousand individuals. This type of data is highly valued by malicious actors for the purpose of committing identity theft and financial fraud. ABIM expressed deep disappointment at being affected by the incident and dismay that any physician in their diplomate community may have had personal information exposed as a result of the actions of these bad actors. The organization emphasized its commitment to protecting the data of the physicians it certifies and stated it would do everything possible to support those affected. The broader consequence was the loss of trust and the necessity for those impacted to enroll in credit monitoring services to safeguard their personal identities and financial health. The incident highlighted the risks associated with relying on third-party software vendors and the cascading effects of a widespread vulnerability in a commonly used commercial product.