Cyber Incident Victim: Academic HealthPlans

On May 31, 2023, Progress Software announced the discovery of a previously unknown zero-day vulnerability in its MOVEit Transfer secure file transfer platform. This vulnerability could allow an unauthorized third party to access files sent using the software. UnitedHealthcare Student Resources (Student Resources), which provides health insurance to college and university students, utilized this software. Upon learning of the vulnerability announcement, Student Resources immediately began an investigation into any potential impact on its systems and took immediate action to secure them. The subsequent forensic investigation determined that an unauthorized third party had actually exploited the vulnerability several days prior to its public disclosure. The threat actor accessed and removed copies of personal information from the Student Resources MOVEit server on May 27, 2023.

The Clop ransomware gang took responsibility for the broader attacks exploiting the MOVEit vulnerability, claiming to have breached hundreds of companies. The group stated that it would list non-negotiating companies on its data leak site on June 14, 2023, and begin leaking the stolen data on June 21, 2023, if extortion demands were not met. On or around June 14, 2023, the Clop gang listed thirteen companies on its site. Student Resources was among these named entities, a listing that served as a public extortion attempt. Other confirmed victims of the MOVEit campaign listed by Clop at that time included Shell, the University of Georgia, the University System of Georgia, Heidelberger Druck, and Landal Greenparks.

The information stolen from the Student Resources server varied by individual. It potentially included a combination of names, dates of birth, addresses, phone numbers, email addresses, plan identification numbers, policy information, student identification numbers, and claims information. The claims information encompassed claim numbers, provider details, dates of service, diagnosis codes, prescription information, and claims financial information. For a subset of the impacted population, the involved information also contained Social Security numbers or national identification numbers. The company confirmed the incident did not involve the disclosure of driver’s license numbers or any financial account information, and not all data elements were involved for every individual.

In response to the incident, Student Resources launched a forensic investigation and contacted law enforcement. The company’s MOVEit software was patched to the most current version available at the time the vulnerability was announced. Student Resources also applied all subsequent MOVEit patches and service packs released by Progress Software. The investigation was complex and time-consuming, undertaken to confirm the full scope of what occurred and to accurately identify the individuals who may have been impacted. This process delayed the public notification, which occurred on July 21, 2023.

The company began notifying affected individuals via letter or electronic communication for whom sufficient contact information was available. The notification explained the nature of the incident and the types of personal information that were potentially involved. Student Resources established a dedicated toll-free hotline to answer questions at 1-866-341-4262, operational Monday through Friday between 7 a.m. and 7 p.m. CST. For all individuals whose information may have been impacted, Student Resources offered complimentary credit monitoring and identity protection services. This service was provided through Norton LifeLock for a period of two years. The company specified that these services were also available to individuals who were not U.S. citizens or who did not have a Social Security number.

While Student Resources stated it was unaware of any actual misuse of the stolen information, it advised affected individuals to take precautionary steps. These precautions included carefully reviewing account statements and credit reports for any unfamiliar activity. The company specifically recommended that individuals remain vigilant by monitoring explanation of benefits statements from their health plan for any services they did not receive. Individuals were advised to report any suspicious activity immediately to their health plan, financial institution, or relevant authority. The provided guidance also detailed how individuals could place a fraud alert or a security freeze on their credit files with the three nationwide credit bureaus at no cost.

The incident impacted Student Resources as a file transfer service user and was part of a much larger, global cyberattack campaign. Numerous other organizations were also compromised through the same MOVEit vulnerability, including Zellis (impacting the BBC, Boots, and Aer Lingus), the University of Rochester, the governments of Nova Scotia, Missouri, and Illinois, and several U.S. federal agencies, including two Department of Energy entities. The attack method followed a pattern previously employed by threat actors who exploited zero-day vulnerabilities in other managed file transfer solutions like Accellion FTA and GoAnywhere MFT. In those prior incidents, threat actors had demanded multimillion-dollar ransoms to prevent the public leaking of stolen data. The extortion attempt against Student Resources and other victims was a direct consequence of the data theft, with the threat actors leveraging the threat of public exposure to pressure victims into paying. The ultimate success of this extortion campaign against the various victims, including Student Resources, was not detailed in the available information. The compromise represented a significant data security incident due to the sensitivity of the health and personal information involved and the large population of students and associated individuals potentially affected.