Cyber Incident Victim: Maximus

On or around May 17, 2021, a cybersecurity incident involving unauthorized access to an application managed by Maximus, a contractor serving as Ohio Medicaid’s data manager, potentially exposed the personal information of Medicaid providers in Ohio. The breach was disclosed by Maximus to Ohio Medicaid on May 17, the same day the unauthorized access occurred, though the exact duration of the intrusion and the specific application compromised were not detailed in public reports. Exposed data included provider names, Social Security numbers, addresses, and other unspecified personal information. The incident did not involve patient data, as the affected individuals were healthcare providers enrolled in Ohio’s Medicaid program. Subsequent reporting to the Maine Attorney General’s Office indicated that 334,690 providers were impacted, though the reason for reporting to Maine rather than Ohio authorities was not clarified. Maximus did not initially disclose the method of unauthorized access or whether the incident resulted from external hacking, insider threats, or misconfigured security controls.

Ohio Medicaid publicly acknowledged the breach on May 17, 2021, following Maximus’s notification, but did not specify whether additional state systems or data were compromised. Maximus issued a formal breach notice to California authorities, as required by that state’s disclosure laws, though the content of this notice was not publicly elaborated. No information was provided regarding containment measures, forensic investigations, or whether law enforcement was engaged. The breach exclusively impacted providers’ personal and professional information, with no evidence of broader operational disruption to Medicaid services or patient care. Financial repercussions, identity theft risks, or remedial actions offered to affected providers were not disclosed in the available reports.