Medicaid Contractor Data Breach Affected 334,000 ProvidersMaximus Corp. Says Personal Information Exposed in Unauthorized Access to App
Maximus Corp., a global provider of government health data services, says a data breach exposed the personal information of more than 334,000 Medicaid healthcare providers nationwide.
The company says in a statement provided to Information Security Media Group that on May 19, it discovered an unauthorized party had accessed one of its applications related to Medicaid provider credentialing and licensing with the Ohio Department of Medicaid between May 17 and May 19.
"This incident did not affect patient or Medicaid beneficiary information. Some personal information about healthcare providers may have been impacted, including names, dates of birth and Social Security numbers," the company states.
A breach notification provided to the Montana attorney general's office says Medicaid providers' Drug Enforcement Agency numbers also may have been exposed in the breach.
In a filing with Maine's attorney general, Maximus says 334,690 individuals were affected when one of the company's external systems was breached. The notice states those affected will receive two years of free identity protection services through Experian.
In its statement provided to ISMG, Maximus did not supply a complete list of the states that were informed of the breach nor did the company offer details on the type of attack. The company says it began informing the individuals affected on June 18, along with filing formal data breach notifications with state officials where the victims are located.
As of Wednesday, the incident was not yet listed on the Department of Health and Human Services' website that offers a tally of major health data breaches.
"Because the unauthorized activity was detected at a very early stage, Maximus believes our quick response limited potentially adverse impacts. This incident did not affect any other Maximus servers, applications or customers," the company says in its statement. It says it has no evidence the attackers have misused any of the information.
Maximus, which is based in Reston, Virginia, is an administrator of Medicaid enrollment broker services. The company says it answers more than 7 million Medicaid-related calls per month. It handles similar services in Australia, Canada, Italy, Saudi Arabia, Singapore, South Korea, Sweden and the U.K.
Other Recent Healthcare Incidents
Healthcare providers and their third-party suppliers have been targeted by cybercriminals in increasing numbers.
In a recent data breach notice, Attleboro, Massachusetts-based Sturdy Memorial Hospital said that on Feb. 9, it identified a security incident that disrupted the operations of some of its IT systems affecting about 57,400 people. The hospital reported paying a ransom in exchange for promises by the attackers to destroy stolen data.
On Monday, Reproductive Biology Associates , an Atlanta-based clinic operator, and its affiliate, MyEggBank North America, reported their systems were hit by a ransomware attack in April. The clinic operator says it regained control of its network and data after contacting the attackers.