HHS Tells Congress 100,000+ People Affected by MOVEit HacksDepartment Says Attackers Gained Access to HHS Data Through 3rd-Party Vendors
The U.S. Department of Health and Human Services has notified Congress that the information of at least 100,000 individuals has been compromised in hacking incidents at HHS contractors involving the widening exploitation of a flaw in MOVEit, a managed file transfer software product.
The department notified Congress about the incident on Tuesday, an HHS official told Information Security Media Group. While no HHS systems or networks were compromised, attackers gained access to HHS data by exploiting the vulnerability in the MOVEit software used by third-party vendors, the official said.
HHS is taking "all appropriate actions" in responding to the incident, the official said. Also, in accordance with the Federal Information Security Modernization Act, HHS will provide Congress with additional information as the investigation into the matter continues, the official said.
Federal agencies are required to notify Congress within seven days of determining "major incidents" that compromise the personal identifiable information of 100,000 or more individuals.
Bloomberg on Thursday was first to report the HHS notification to Congress.
HHS did not immediately respond to Information Security Media Group's request for additional details about the incident, including the estimated total number of people affected.
HHS is among a growing list of U.S. federal government entities reporting major breaches related to the MOVEit vulnerability, which has been actively exploited by the Clop ransomware group for months. Also hit were the departments of Energy and Agriculture as well as the Office of Personnel Management. Clop also hit state agencies, including Maryland's Department of Health and Human Services and Minnesota and New York City's departments of education.
Healthcare sector entities affected by the campaign including a hacking incident in June affecting the personal information 100,000 employees of Nova Scotia Health in Canada (see: Nova Scotia Health Says 100,000 Affected by MOVEit Hack).
Other victims recently named on Clop's data leak site include healthcare software firm Vitality Group International, Talcott Resolution Life Insurance Co. and the universities of Georgia, Johns Hopkins, Missouri, Rochester and Southern Illinois.
HHS issued an alert for the healthcare and public health sector on June 2, warning of threats involving potential MOVEit compromises.
"Sensitive information such as medical records, bank records, Social Security numbers and addresses are at risk if this vulnerability is leveraged," warned HHS' Health Sector Cybersecurity Coordination Center. "The targeted organization could be subject to extortion by financially motivated threat groups," HHS HC3 wrote.
The hacking campaign came to light after Russian-speaking cybercrime group Clop began targeting a previously unknown vulnerability in MOVEit around May 27 and May 28.
The developer of MOVEit, Progress Software, identified and patched the SQL injection flaw, designated CVE-2023-34362, on May 31. Shortly thereafter, the company identified and patched two more zero-day vulnerabilities, which attackers don't appear to have exploited.
So far, only about 11 of an estimated 150 victim organizations have issued notifications that quantify the number of affected individuals, which adds up to the theft of over 16 million individuals' personal details, Brett Callow, a threat analyst at Emsisoft, tweeted Thursday (see: Clop's MOVEit Campaign Affects Over 16 Million Individuals).
Clop claims in grammatically broken English to have deleted outright any data it stole from about 30 government agencies or contractors as part of the campaign, apparently to try and not make itself a national security target. "We are only financial motivated and do not care anything about politics," the group says on its data leak site.
The FBI and CISA are continuing to probe the attacks and assist victims. The FBI has urged all organizations affected by the Clop campaign to alert the bureau if they have not already done so.