Cyber Incident Victim: AlohaCare, Inc.
Date:
May 2023
Location:
United States of America
Summary
AlohaCare experienced a cybersecurity incident involving unauthorized access to its systems via a zero-day vulnerability in the MOVEit file transfer tool, which impacted global organizations. The breach compromised names, addresses, dates of birth, and Social Security numbers of approximately 12,982 individuals, including 21 Maine residents. Following an investigation by cybersecurity experts, the organization implemented enhanced security measures and offered affected individuals 12 months of complimentary credit monitoring, dark web surveillance, identity protection services, and a $1 million insurance policy through TransUnion's Identity Force.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On May 31, 2023, AlohaCare discovered it was affected by a global cybersecurity incident involving a zero-day vulnerability in the MOVEit file transfer tool, which enabled unauthorized external system access. The Honolulu-based healthcare organization immediately engaged cybersecurity experts to investigate the breach’s scope and origin. Forensic analysis confirmed threat actors exploited this vulnerability to access files containing sensitive member information. The investigation concluded on October 17, 2023, confirming that attackers potentially acquired names, addresses, dates of birth, and Social Security numbers. This breach impacted 12,982 individuals nationwide, including 21 Maine residents. AlohaCare delayed public disclosure until completing the investigation to verify impacted datasets and identify affected parties. The compromise stemmed from a third-party software weakness rather than direct infiltration of AlohaCare’s internal networks. No evidence suggested misuse of exposed data prior to containment.
AlohaCare initiated written notifications to all affected individuals on November 3, 2023, detailing the breach’s nature and protective measures. The organization implemented enhanced security protocols to prevent recurrence and offered 12 months of complimentary identity protection services through TransUnion’s Cyberscout platform. These services included credit monitoring, dark web surveillance, a $1 million insurance policy, and fully managed identity restoration support. Enrollment required submission within 90 days and verification of U.S. residency, credit history, and Social Security number. For non-qualifying individuals like minors under 18, alternative safeguards such as fraud alerts and security freezes were recommended. AlohaCare established a dedicated call center (1-833-415-2510) for breach-related inquiries and provided regulatory notifications to multiple state attorneys general, including Maine’s Office of the Attorney General. The incident prompted internal security reviews and infrastructure hardening without disrupting ongoing healthcare operations.