Massachusetts health officials warn of data breach involving more than 134K people

State health officials say ‘worldwide data security incident’ linked to MOVEit

Health officials in Massachusetts are warning that more than 134,000 people may have had their personal and medical information stolen as part of a "worldwide data security incident" involving the file-transfer program MOVEit. 

The Executive Office of Health and Human Services (EOHHS) said UMass Chan Medical School in Worcester, which provides services to the agency, has started notifying affected individuals "currently or previously enrolled in certain state programs."

Data that the EOHHS said may have been subject to "unauthorized acquisition" include names, dates of birth, mailing addresses, Social Security numbers, financial information and protected health information such as "diagnosis/treatment information, prescription information, provider names, dates of service, claims information, health insurance member ID numbers, and other health insurance related information." 

The amount of information involved in the incident varies by person, it added. 

US GOVERNMENT AGENCIES HIT BY CYBERATTACK 

UMass Chan Medical School in Worcester, Massachusetts

The UMass Chan Medical School in Worcester, Massachusetts, learned about the data incident on June 1, state health officials say. (Google Maps)

"This incident was part of a worldwide data security incident involving a file-transfer software program called MOVEit, which has impacted state and federal government agencies, financial services firms, pension funds, and many other types of companies and not-for-profit organizations," it said. "No UMass Chan or state systems were compromised in this incident." 

"Any individual who receives a notice is encouraged to take steps to protect their information, including monitoring their financial account statements and enrolling in free credit monitoring and identity theft protection offered to individuals who had certain sensitive information involved," it added. 

The office said when UMass Chan learned about the vulnerability on June 1, it immediately fixed it, contacted law enforcement and launched an investigation. 

MASSIVE CYBERATTACK STRIKES MILLIONS: ARE YOU AT RISK? 

Hacker computer monitors

Massachusetts state health officials say some files in the data breach "may have been subject to unauthorized acquisition." (iStock / iStock)

"UMass Chan identified the files that may have been subject to unauthorized acquisition as a result of the MOVEit security flaw," it also said. "On July 27, 2023, UMass Chan determined that some of these files contained information pertaining to individuals who received services from EOHHS." 

The state of Massachusetts says on its website that "MOVEit is a file transfer software program licensed by a company called Progress Software" and it was "used to transfer files as part of the services provided by UMass to certain EOHHS agencies and programs." 

In June, Fox News Digital reported that several U.S. government agencies have been impacted by the vulnerability in the software program as well. 

Cyber security threat on phone

In this photo illustration, the Cyber lock symbol is seen displayed on an Android mobile phone with hacker code in the background. (Omar Marques/SOPA Images/LightRocket via Getty Images / Getty Images)

CLICK HERE TO GET THE FOX NEWS APP 

The U.S. Cybersecurity and Infrastructure Security Agency is now working to determine the origin of the attack and what may have been stolen. 

FOX Business' Anders Hagstrom contributed to this report.