Cyber Incident Victim: University of Utah

On or around May 30, 2023, the University of Utah began documenting a series of data breaches stemming from a widespread security incident involving MOVEit Transfer, a file transfer software utilized by several of its third-party vendors. These incidents were not the result of a direct attack on university systems but were part of a larger pattern of nationwide data breaches traced back to vulnerabilities in the MOVEit software used by its contractors. The university’s involvement was through the compromised systems of these external partners, leading to the exposure of sensitive community data across multiple domains, including healthcare, advancement, human resources, and student records.

The first confirmed incident involved University of Utah Health Plans (UUHP) member information. The breach occurred through the vendor TMG Health, Inc. On June 21, 2023, TMG's data security personnel discovered that an unauthorized external user had accessed one of their MOVEit file transfer servers. This access and subsequent downloading of files took place between May 30 and June 2, 2023. Upon learning of the intrusion, TMG immediately blocked the unauthorized user from any further access and promptly notified UUHP. The investigation revealed that approximately 3,900 patient records were accessed during this period. The potentially exposed data was extensive and highly sensitive, including mailing address, email address, phone number, date of birth, Social Security Number, medical claims information, banking information, billing information, and/or medical treatment information. In response, UUHP mailed formal notification letters to all impacted members on August 10, 2023. While UUHP stated it had no indication that any member information had been misused at that time, it advised all potentially impacted individuals to diligently monitor their accounts, charges, and statements for any discrepancies or services they did not receive. These individuals were also encouraged to report any concerns to their local law enforcement or consumer protection agency.

A separate breach involving donor records was reported to University of Utah Advancement on June 29, 2023. The vendor TIAA Kaspick alerted university advancement leaders about a security breach that had occurred at the end of May within their systems. This incident impacted approximately 30 planned or legacy giving donors to the university. The personal information exposed was limited to names, birthdates, and Social Security numbers; no other donor information was compromised. The vendor took responsibility for notifying all impacted donors or their legal representatives. Furthermore, TIAA Kaspick offered each impacted individual free credit monitoring services for a period of two years. As of the reporting date, no fraudulent activity related to this specific breach had been reported.

A third and larger breach was communicated to University Human Resources by TIAA on July 7, 2023. TIAA reported that data for a significant number of current and former university employees may have been exposed through their systems. The data elements involved included dates of birth and Social Security numbers. The scope of this exposure was substantial, potentially affecting more than 13,800 individuals. TIAA, working in coordination with University Human Resources, undertook the task of communicating directly with all affected employees to inform them of the situation. This particular update was provided by the university on August 31, 2023.

The final potential exposure involved student records managed by the University Registrar through its relationship with the National Student Clearinghouse. The National Student Clearinghouse, which provides degree and enrollment verification services, also experienced a security incident related to the MOVEit software. However, in a notice sent to the University Registrar on August 9, 2023, the Clearinghouse’s representative provided a significant clarification. They stated that their investigation did not identify any individuals associated with the University of Utah whose Social Security number, student identification number, or date of birth, as provided by the university, was included in the affected files that were accessed. This indicated that while the vendor was impacted, specific sensitive data pertaining to University of Utah students was not confirmed to have been compromised. The university noted that other state colleges and universities within the Utah System of Higher Education were also impacted by the broader incident involving the National Student Clearinghouse. The collective response from the state system was documented in a separate student notice published online.

The university's overarching response was characterized by a reliance on its vendors to detect, contain, and lead the notification and mitigation efforts for each distinct breach. In each case, the third-party vendor was the first to identify the unauthorized access within their own systems and then proactively notify their respective university contacts. The containment action, as exemplified by TMG Health’s response, involved immediately blocking the unauthorized user from the compromised server to prevent further data exfiltration. The duty of notifying affected individuals fell primarily to the responsible vendor, with the university or its subunits, such as UUHP and Human Resources, facilitating or endorsing this communication. The offer of remedial services, such as credit monitoring, was also vendor-led, as seen in the TIAA Kaspick incident. The university adopted a transparent posture by publicly documenting these separate incidents in a single ongoing statement, which it committed to updating as more information became available. The full impact of these incidents was assessed over a period of several months, with confirmations and updates being issued from late May through the end of August 2023.