Cyber Incident Victim: EMS Management & Consultants

On May 30, 2023, an unknown actor exploited zero-day vulnerabilities in the MOVEit Transfer tool used by EMS Management and Consultants Inc. (EMS|MC), a billing services provider based in Winston-Salem, North Carolina. The attacker successfully accessed the company's MOVEit Transfer server and exfiltrated certain data from it during this time. This external system breach constituted a hacking incident. The vulnerabilities exploited were publicly disclosed by Progress Software Corp. on May 31, 2023, with additional disclosures occurring again in June 2023. Upon the public disclosure of these vulnerabilities, EMS|MC moved quickly to apply available security patches and undertook all recommended mitigation steps to secure its system.

EMS|MC discovered the breach on July 12, 2023. Promptly following this discovery, the company launched a comprehensive investigation with the assistance of third-party cybersecurity specialists. The objective of the investigation was to determine the full potential impact of the vulnerabilities on the security of the data housed on the compromised MOVEit server. The investigation confirmed the initial access and data theft by the unknown actor on May 30. Following the breach discovery, EMS|MC subsequently undertook a detailed and time-consuming review of all the data that was stored on the server at the time of the incident. This review was necessary to understand the specific contents of the exfiltrated data and to identify the individuals to whom that data related.

The total number of persons affected by this incident was 223,598, which included 788 residents of the state of Maine. For one of its specific customers, Fayette County Fire and Emergency Services in Georgia, EMS|MC determined that information relating to 2,625 individuals was present in 94 specific files on the impacted server at the time of the event. This determination was made on July 10, 2023, as part of the detailed data review process. The information acquired by the attacker included an individual's name or other personal identifier in combination with their financial account number or credit/debit card number. This financial information was also in combination with the account's security code, access code, password, or PIN.

EMS|MC provided notification of the data event to all affected individuals. The type of notification used was written communication, mailed via the postal service to impacted individuals for whom the company had valid mailing addresses. These notice letters were sent on behalf of EMS|MC's various EMS agency customers. The date of consumer notification was August 9, 2023. The company stated it was unaware of any actual or attempted misuse of the information involved in the incident at the time of notification. As part of its response, EMS|MC offered identity theft protection services to the affected individuals. The service offered was credit monitoring provided by Experian for a duration of 12 months. The company and its customers encouraged potentially affected individuals to remain vigilant against incidents of identity theft by reviewing their account statements and explanations of benefits for any unusual activity. For additional information, interested parties were directed to contact a specific individual at EMS|MC, Kim Stanley, at the provided telephone number.