Texas Medicaid recipients may be part of massive data breach

By Marin Wolf | The Dallas Morning News (TNS)

Texas Medicaid recipients are the latest victims of a massive data breach at the third-party file transfer platform MOVEit, UMass Chan Medical School announced Thursday.

The Texas Health and Human Services Commission previously used the MOVEit platform to transfer files related to services provided by UMass Chan. The Texas health agency functions as the state arm of the jointly run state and federal Medicaid program.

Hackers breached MOVEit in late May 2023, and files containing the names and Social Security numbers of some Texans who received HHSC services were identified on Aug. 17. HHSC was alerted to these findings the same day, UMass Chan said in the press release.

The release did not say how many people may have been impacted by the hack. Individuals can call UMass Chan directly at 855-457-6006 to determine whether they were a part of the breach, HHSC press officer Jennifer Ruffcorn said in an email.

The MOVEit hack has impacted more than 2,500 organizations and 67 million people. Maximus, a federal contractor that works with Medicaid, was the largest organization affected with 11 million individuals, according to anti-malware and cybersecurity firm Emsisoft. Other organizations include the Louisiana Office of Motor Vehicles, the Colorado Department of Health Care Policy and Financing and the Oregon Department of Transportation.

Maximus, which is also a contractor to Texas HHSC, alerted some Texans in September that their information was affected by the MOVEit breach, San Antonio news station KENS 5 reported. A filing with the Office of the Attorney General shows that nearly 88,500 Texans were affected.

Cyberattacks are increasingly common and indiscriminate. Recently, the ransomware group Play said it hacked into Dallas County’s network and posted some of the stolen information on the dark web. Dallas County officials said Tuesday that they are examining the stolen files to see whether the data includes personal information about employees or residents.

Hackers stole about 819,000 files stored by the city of Dallas in a ransomware attack this spring.

Beginning Sept. 1, anyone doing business in Texas is required to notify the attorney general of computer breaches involving sensitive information of at least 250 people within 30 days of discovering the incident. Previously, state law required notification within 60 days of a breach discovery.

©2023 The Dallas Morning News. Visit dallasnews.com. Distributed by Tribune Content Agency, LLC.