Maximus hit by MOVEit ransomware breach Just_Super

As many as 11 million people may have had their personal information exposed by a breach of the company's networks.

Maximus is the first government contractor to publicly disclose that its computer systems suffered a breach from the MOVEit ransomware hack.

MOVEit is a file transfer application that Maximus used internally and with government customers.

In a Securities and Exchange Commission filing posted Wednesday, Maximus said that between 8 million and 11 million individuals could have had their personal information exposed including health information.

The company may need several weeks to determine the exact number, according to the filing.

Maximus has set aside $15 million in expenses quarter ended June 30 to cover what it currently estimates to be the cost of needed investigation and remediation work, such as credit monitoring and identity restoration services.

“Data privacy and security are among our top priorities, and we are committed to protecting the data entrusted to us,” Maximus said in a statement.

The company said that it has not found any impact on other parts of its networks, but that it will "continue to closely monitor our systems for any unusual activity."

Progress Software Corp., developer of MOVEit, disclosed the vulnerability on May 31 after receiving reports from customers of unusual activity in their MOVEit instance.

Since then, more than 450 organizations that include several government agencies have reported MOVEit hacks.

Tysons, Virginia-headquartered Maximus is the first publicly-traded government contractor to disclose a breach related to the MOVEit hack.

Maximus has been notifying customers and federal and state regulators. It will also contact individuals as appropriate.

“Individuals receiving notice will be offered free credit monitoring and identity restoration services,” the company said.

If Maximus’ estimate of up to 11 million people whose information was exposed holds up, it would be the largest health care-related data breach this year, according to a report by Tech Crunch.

Tech Crunch reported that Clop, a Russia-linked data extortion group, claims to have stolen 169 gigabytes of data from Maximus. Clop is claiming responsibility for the MOVEit hacks.

Several other publications have reported that Deloitte’s networks were breached. In a statement provided to Washington Technology, Deloitte said it has seen no impact on client data.

This breach is still in the early stages and will continue to develop. The Homeland Security Department's Cybersecurity and Infrastructure Security Agency and FBI are urging government agencies to implement mitigation steps posted by CISA.