Cyber Incident Victim: UMass Chan Medical School

On or about May 27, 2023, unauthorized parties exploited a security flaw in the MOVEit Transfer software, a file-transfer program licensed from Progress Software and used by thousands of organizations globally. This exploitation was part of a large-scale, worldwide data security incident that impacted numerous state and federal government agencies, financial services firms, pension funds, and other types of companies and not-for-profit organizations. The University of Massachusetts Chan Medical School (UMass Chan), which provides services to the Massachusetts Executive Office of Health and Human Services (EOHHS), utilized the MOVEit software to transfer files as part of its services for certain EOHHS agencies and programs. These agencies and programs included MassHealth, the State Supplement Program (SSP), the Executive Office of Elder Affairs (EOEA), Aging Services Access Points (ASAPs), and Family Resource Centers (FRCs). The unauthorized access occurred between May 27, 2023, and May 28, 2023. It is important to note that no UMass Chan or state systems were directly compromised; the incident was strictly a result of the vulnerability within the third-party MOVEit application.

UMass Chan first learned of the security flaw in the MOVEit software on June 1, 2023. Upon discovery, UMass Chan immediately contacted law enforcement and launched an investigation to determine the scope and impact of the incident. The investigation aimed to identify which files, if any, were accessed without authorization during the two-day period of exploitation. The process of forensic analysis was conducted to review the contents of the files that were transferred using the vulnerable MOVEit instance. This investigation confirmed that the unauthorized parties had successfully gained access to certain files that had been shared using the software during the specified timeframe. The investigation concluded that the incident was a direct result of the MOVEit security flaw and not a breach of UMass Chan's internal networks or systems.

By July 27, 2023, UMass Chan's investigation had identified the specific files that were subject to unauthorized acquisition and completed a review of their contents. The analysis determined that the compromised files contained the personal information of over 134,000 Massachusetts residents who were currently enrolled, or had been enrolled in the last few years, in certain state programs and services administered by EOHHS. The primary impacted individuals were participants in the State Supplement Program (SSP), which includes recipients, other members of their households, and authorized representatives; MassHealth Premium Assistance members; MassHealth Community Case Management participants; and consumers of the Executive Office of Elder Affairs (EOEA) and Aging Services Access Points (ASAP) home care programs. The types of personal information involved included full names, Social Security numbers, dates of birth, addresses, and Medicare/Medicaid numbers.

The response and containment actions began immediately after the discovery of the incident. UMass Chan implemented all publicly available software fixes for the MOVEit application to remediate the known security vulnerability and prevent further unauthorized access. Furthermore, UMass Chan stated it had taken steps to monitor its vendors’ data security practices more closely as a result of this event. The primary consequence of the incident was the potential exposure of highly sensitive personal data, creating a significant risk of identity theft and financial fraud for the affected individuals.

Notification to the impacted individuals was not immediate, as the investigation required time to accurately identify who was affected and what specific data was involved. The process of mailing physical notification letters began on August 14, 2023, with letters being sent out starting on that date. Impacted individuals were also to be contacted by phone, text, and email where possible. The letters provided a detailed explanation of the incident, specified the categories of personal information that were involved for each recipient, and outlined the steps being taken by UMass Chan in response. The letters also included information on how affected individuals could protect themselves and details on the offer of free credit monitoring services.

As a remedial measure, UMass Chan offered free credit monitoring and identity theft protection services to all individuals whose Social Security numbers and/or financial information were involved. This offer was for a five-year membership with Experian’s IdentityWorks service. The service was designed to help detect possible misuse of personal information and provide identity protection support, including daily credit monitoring, identity restoration services conducted by specialists, and $1 million in identity theft insurance. The notification letter contained an activation code and instructions for individuals to enroll in the program by a deadline of November 11, 2023. A dedicated toll-free phone number, 855-862-7769, was established and operated Monday through Friday from 9:00 a.m. to 5:00 p.m. Eastern Time to answer questions from affected individuals. This phone line offered support in multiple languages and through TTY services for the hearing impaired.

The incident had a substantial impact due to the large number of affected individuals and the highly sensitive nature of the data exposed. The compromised data elements are precisely the type of information commonly used to commit identity theft. The affected state programs serve vulnerable populations, including elderly individuals receiving home care and low-income residents receiving supplemental income or health insurance assistance, which may compound the potential harm. The global scale of the MOVEit incident meant that the UMass Chan event was one of many similar breaches affecting other organizations simultaneously, though the data exposed was specific to the Massachusetts residents enrolled in the state programs serviced by UMass Chan. The response focused on providing the affected individuals with the tools and information necessary to monitor their financial accounts and credit reports for signs of fraudulent activity. Individuals were strongly encouraged to remain vigilant by reviewing their financial account statements and to immediately contact their financial institutions if they observed any unauthorized charges or activity.