Cyber Incident Victim: University of Texas Southwestern Medical Center

On May 28, 2023, an unknown individual exploited a previously unidentified vulnerability within the MOVEit software utilized by UT Southwestern Medical Center. This software was used by the institution to securely move large data files between networks. The exploitation of this vulnerability allowed the unauthorized individual to gain access to the files stored within the medical center’s MOVEit server. The incident was not immediately detected; it was brought to the attention of the UTSW Privacy Office two days later on May 30, 2023. The organization confirmed it was one of many entities, both nationally and internationally, to be affected by a widespread cybersecurity attack targeting this specific software vulnerability.

Upon discovery of the attack, UT Southwestern immediately took steps to secure its systems and networks. These initial response actions were focused on containment and were aimed at limiting the amount of information housed within the now-compromised MOVEit server to prevent any further potential data exfiltration. A multidisciplinary team was assembled to manage the incident response process. This team began the forensic analysis required to identify both the specific individuals whose data was accessed and the precise types of data that were stolen. This analysis was a necessary precursor to any official notification process and was critical for understanding the full scope of the breach.

The forensic analysis confirmed the theft of certain protected health information. The stolen patient data varied from individual to individual based on the contents of the specific files that were accessed. The compromised information included patient names, medical record numbers, and dates of birth. Furthermore, the data included health information related to prescriptions, specifically the names of medications, the dosage of those medications, and the identities of the prescribing providers. For a smaller subset of patients, the stolen data was more sensitive and included Social Security numbers. The total number of patients affected by this data theft was not publicly disclosed by UT Southwestern Medical Center.

Following the completion of the initial analysis, UT Southwestern entered the notification and remediation phase of its response. The organization stated it was in the process of contacting each impacted patient through direct mail. These notifications were intended to be personalized, providing individuals with specifics on the exact type of their information that was involved in the data theft. The medical center established a dedicated call center and a response website to assist affected patients and answer any questions they might have. The call center could be reached at a provided toll-free number.

In its communications, UT Southwestern informed patients that receiving a notification letter did not mean they were a victim of identity theft. The organization stated that at the time of its public notification, it had not received any information indicating that the stolen data was being used in a malicious manner. Despite this, the notification outlined precautionary actions that individuals could take to protect themselves. These suggested actions included changing passwords, utilizing two-factor or multifactor authentication where available, and notifying credit bureaus and monitoring agencies of any suspicious activity. The institution provided references to external resources from the Federal Bureau of Investigation, the Cybersecurity and Infrastructure Security Agency, and the Federal Trade Commission for informational purposes, while explicitly stating it did not endorse any specific product or service.

The ongoing response activities included continuous monitoring for any additional suspicious activities within its network. The institution expressed regret for the incident and the concern it may have caused, reiterating that the protection of data was a top institutional priority and that the incident was being handled in accordance with its internal policies and relevant regulations. The cybersecurity attack on UT Southwestern was part of a broader wave of incidents affecting numerous organizations globally that were leveraging the same MOVEit software vulnerability, highlighting the widespread impact of the exploit.