Cyber Incident Victim: Johns Hopkins Health Plans

On May 30, 2023, an unauthorized party initiated a series of actions against a vendor system used by Johns Hopkins Advantage MD. This activity, which involved the use of the MOVEit file transfer tool, continued until June 2, 2023, during which time multiple downloads of information were conducted by the threat actor. The security incident was not discovered by the vendor until June 21, 2023, at which point they immediately initiated an investigation into the breach. Advantage MD itself was notified of the incident by its vendor on the following day, June 22, 2023. The investigation confirmed that the unauthorized downloads had taken place during the specified date range.

The scope of the incident involved data belonging to plan members of Johns Hopkins Advantage MD. The organization conducted a comprehensive review of the information that was downloaded to determine the specific nature of the data exposed. The information involved was not uniform for all affected individuals and varied from person to person. The compromised data elements included personal identifiable information such as full name, date of birth, home address, email address, and phone number. Furthermore, highly sensitive financial and government identifiers were also accessed, including Social Security numbers and bank account information. Critically, health insurance information was also among the data types exfiltrated in the attack.

In response to the incident, Johns Hopkins Advantage MD worked closely with the affected vendor to address the vulnerability and secure their systems. These efforts were focused on updating systems to block the specific activities used by the attacker and to prevent similar disclosures from occurring in the future. The vendor involved took the step of notifying law enforcement agencies in an effort to mitigate the situation. The parent organization expressed its commitment to maintaining the privacy and security of member information and stated it was taking the incident very seriously.

To directly address the impact on individuals, Johns Hopkins Advantage MD undertook a process to notify all affected plan members. The organization utilized the contact information it had on file to mail formal notification letters. This mailing process began on August 3, 2023. The letters detailed the incident and provided information on steps individuals could take to monitor and protect their personal information. Furthermore, the correspondence included instructions for affected individuals to enroll in complimentary credit monitoring and identity resolution services offered through IDX’s MyIDCareTM Identity Protection program. A deadline of August 28, 2023, was established for individuals to expect their notification letter; plan members who believed they were involved but did not receive a letter by that date were instructed to contact IDX directly via a dedicated phone number.

For additional support, Johns Hopkins Advantage MD directed its members to a dedicated resource website hosted by IDX and reiterated the phone number for the call center, which operated on weekdays during Eastern Time business hours. The organization stated it had no reason to believe that any of the exfiltrated information had been misused following the incident. Despite this assessment, the potential consequences for affected individuals were significant due to the highly sensitive nature of the stolen data, which combined personal, financial, and health-related information, thereby elevating the risk of identity theft and fraud.