Cyber Incident Victim: Marylands Department of Health and Human Services

The U.S. Department of Health and Human Services notified Congress on or before June 27, 2023, that the personal identifiable information of at least 100,000 individuals had been compromised. This incident was part of a wider hacking campaign exploiting a vulnerability in the MOVEit managed file transfer software. The department confirmed that its own internal systems and networks were not directly compromised. Instead, attackers gained access to HHS data by targeting and exploiting the software vulnerability present on the systems of its third-party vendors. The department characterized this as a major incident under federal reporting requirements, necessitating the formal congressional notification within seven days of that determination.

The broader exploitation campaign that ensnared HHS vendors began around May 27 and May ­28, 2023. The Russian-speaking Clop ransomware group initiated widespread attacks by targeting a previously unknown SQL injection vulnerability in the MOVEit software. This zero-day flaw, designated CVE-2023-34362, allowed the attackers to gain unauthorized access to systems running the vulnerable software. The developer of MOVEit, Progress Software, identified the security flaw and issued a patch on May 31, 2023. Shortly after this initial patch, Progress Software identified and patched two additional zero-day vulnerabilities in the same product, though there was no evidence these subsequent flaws were exploited in attacks.

The Clop group utilized the vulnerability to steal data from numerous organizations globally. HHS was among a growing list of U.S. federal government entities reporting major breaches related to this campaign. Other federal agencies confirmed as victims included the Department of Energy, the Department of Agriculture, and the Office of Personnel Management. The campaign also extensively targeted state-level agencies, including Maryland's Department of Health and Human Services, as well as the education departments for Minnesota and New York City. The healthcare sector was a significant focus, with other victims including Nova Scotia Health in Canada, which reported a June incident compromising the personal information of 100,000 employees. Healthcare software firm Vitality Group International and Talcott Resolution Life Insurance Co. were also named as victims, alongside several universities.

In response to the escalating threat, HHS's Health Sector Cybersecurity Coordination Center (HC3) issued an alert to the healthcare and public health sector on June 2, 2023. The alert warned organizations of the active threats involving potential MOVEit compromises. It stated that sensitive information, including medical records, bank records, Social Security numbers, and addresses, was at risk if the vulnerability was leveraged. The alert further warned that targeted organizations could be subject to extortion by financially motivated threat groups, directly referencing the tactics of the Clop operation.

An HHS official stated the department was taking "all appropriate actions" in responding to the incident involving its vendors. In accordance with the Federal Information Security Modernization Act (FISMA), HHS committed to providing Congress with additional information as its investigation into the matter continued. The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) were also engaged, continuing to probe the wider attacks and assist victims. The FBI publicly urged all organizations affected by the Clop campaign to alert the bureau if they had not already done so.

The Clop ransomware group claimed responsibility for the widespread attacks and began listing victim organizations on its data leak site. The group posted a message in broken English claiming to have deleted data stolen from approximately 30 government agencies or contractors. The group stated this action was taken because they were "only financial motivated and do not care anything about politics," an apparent attempt to avoid becoming a target of heightened law enforcement scrutiny by not holding data from certain government entities for extortion. Despite these claims, the group continued to extort other victims listed on its site.

The total number of individuals affected by the global MOVEit campaign was significant. By June 30, 2023, a threat analyst at Emsisoft estimated that only about 11 of an estimated 150 victim organizations had publicly issued notifications quantifying the number of affected individuals. The sum of those confirmed notifications already exceeded 16 million individuals whose personal details were stolen. The HHS incident, affecting over 100,000 people, was a confirmed part of this larger total. HHS did not immediately respond to requests for additional details about its specific incident, including a more precise estimated total number of people affected beyond the minimum 100,000 figure provided to Congress. The incident demonstrated the significant risk posed by vulnerabilities in third-party software and supply chain attacks against federal government data.