More than 134,000 people enrolled or formerly enrolled in certain Massachusetts state programs had personal information, including medical details and financial data, compromised in a data breach involving a file transfer program used by Boston-based UMass Chan Medical School, according to an Aug. 15 report from CBS News.
The exposed data varies from patient to patient, but could include the person's name and at least one other piece of information, including date of birth, mailing address, protected health information like diagnosis and treatment details, Social Security number, and financial account information, according to a statement from the office of Health and Human Services.
The breach came from a vulnerability in software program MOVEit, which was used to transfer files from UMass to state health agencies and programs.
"This incident was part of a worldwide data security incident involving a file-transfer software program called MOVEit, which has impacted state and federal government agencies, financial services firms, pension funds, and many other types of companies and not-for-profit organizations. No UMass Chan or state systems were compromised in this incident," HHS said in a statement.
The breach mostly impacted State Supplement Program participants, MassHealth Premium Assistance members, MassHealth Community Case Management participants, and Executive Office of Elder Affairs and Aging Services Access Points home care program consumers.
People who had compromised information should have begun to receive letters from UMass Chan and the state starting Aug. 15, according to the report.
Since 2009, 8.4 million health accounts have potentially been breached in Massachusetts, with nearly 4 million accounts potentially affected in 2023 alone, according to a study from VPN services company Surfshark.