Cyber Incident Victim: United Healthcare Student Resources
Date:
May 2023
Location:
United States of America
Summary
UnitedHealthcare Student Resources experienced a data breach when the Clop ransomware gang exploited a zero-day vulnerability in the MOVEit Transfer platform, accessing and exfiltrating sensitive information from its systems. The compromised data included names, dates of birth, contact details, student identification numbers, health plan information, claims data, and for some individuals, Social Security numbers or national IDs. The organization initiated an investigation upon discovering the vulnerability, secured its systems with available patches, and notified affected individuals while offering credit monitoring services. Clop listed the entity on its leak site as part of extortion efforts tied to the MOVEit attacks, though no confirmed data misuse has been identified.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 3 actors | Available to members | Available to members |
Description
On May 31, 2023, Progress Software disclosed a previously unknown zero-day vulnerability in its MOVEit Transfer secure file transfer platform, which enabled unauthorized third-party access to files transmitted through the software. UnitedHealthcare Student Resources (UHSR), a provider of health insurance to college and university students, immediately initiated an investigation upon learning of the vulnerability and took steps to secure its systems. Forensic analysis revealed that an unauthorized actor had exploited this vulnerability on May 27, 2023—four days before the flaw's public disclosure—to access UHSR's MOVEit server and exfiltrate copies of personal information. The Clop ransomware gang claimed responsibility for coordinated attacks against MOVEit Transfer users during this period, listing UHSR among thirteen initial victims on their data leak site on June 14, 2023, as part of extortion efforts. Clop threatened to publish stolen data by June 21 if ransom negotiations failed, though UHSR did not publicly confirm whether it engaged with or paid the threat actors.
The compromised data included combinations of names, dates of birth, addresses, phone numbers, email addresses, plan identification numbers, policy details, student identification numbers, claims information (claim numbers, provider details, dates of service, diagnosis codes, prescription data), and claims financial information. For a subset of individuals, Social Security numbers or national identification numbers were exposed, though driver’s license numbers and financial account information remained unaffected. UHSR completed patching its MOVEit software following Progress Software’s guidance and applied all subsequent security updates. The organization began notifying impacted individuals by July 21, 2023, offering two years of complimentary credit monitoring and identity protection services through Norton LifeLock, including provisions for non-U.S. citizens and individuals without Social Security numbers. A dedicated toll-free hotline (1-866-341-4262) was established for inquiries, and UHSR collaborated with law enforcement during its investigation. While no misuse of data was confirmed, UHSR advised affected individuals to monitor account statements, credit reports, and healthcare benefit explanations for unauthorized activity, directing them to report suspicious incidents to relevant institutions and the FTC. The breach’s scope remained undetermined in public disclosures, with UHSR confirming only that data removal occurred from its MOVEit server during the May 27 intrusion window.