Maximus

Maximus Inc. operates as a government contractor providing administrative and technology services for health and human services programs, primarily within the United States. The company's core work involves managing state and federal government contracts, such as those for Medicaid, where it handles substantial volumes of sensitive personal information including provider and beneficiary data. Its role as a state contractor for Ohio's Medicaid program, managing an application containing provider names, Social Security numbers, and addresses, exemplifies its function as an intermediary processing critical government-held data. This positioning places Maximus within the specialized sector of public sector outsourcing, where it supports the operational infrastructure of large-scale social safety net programs. The nature of its services necessitates strict adherence to regulations governing protected health information and personally identifiable data, given the direct handling of such information for government clients. Its business model is built on securing and processing data on behalf of public agencies, making data security a fundamental component of its contractual obligations and operational continuity. The company's footprint is defined by its contractual relationships with multiple U.S. state governments and federal agencies, serving as a key vendor in the administration of public benefit programs.

The scale of Maximus's data handling responsibilities is evidenced by the significant impact of cybersecurity incidents it has experienced. In May 2023, the company was among hundreds of organizations compromised through a zero-day vulnerability in the MOVEit file transfer application, a third-party tool it used. This incident, attributed to the Clop ransomware group, resulted in the unauthorized access to files containing the personal information of an estimated 8 to 11 million individuals, including Social Security numbers and protected health information. A separate, earlier incident in May 2021 involved unauthorized access to the specific Ohio Medicaid provider application managed by Maximus, potentially exposing data for hundreds of thousands of individuals. These events highlight the extensive data repositories under the company's purview and the associated risks of third-party software dependencies. Maximus's response to these breaches, including conducting investigations with external experts and notifying impacted individuals while offering credit monitoring, reflects standard incident response protocols for a firm in its sector. The company has stated that its internal systems beyond the compromised applications remained unaffected and that business operations continued without material interruption, underscoring a degree of operational resilience. These incidents collectively illustrate the critical intersection of large-scale public sector data processing and the persistent threat landscape facing such contractors.