Massachusetts health officials warn of data breach affecting more than 134,000 people

BOSTON — Massachusetts health officials are warning residents of a “global security incident” affecting the personal information of more than 134,000 people, state officials said Tuesday.

UMass Chan Medical School on Monday began “notifying more than 134,000 individuals currently or previously enrolled in certain state programs that their personal information was involved in a recent third-party data security incident,” Executive Office of Health and Human Services officials said in a statement.

“This incident was part of a worldwide data security incident involving a file-transfer software program called MOVEit, which has impacted state and federal government agencies, financial services firms, pension funds, and many other types of companies and not-for-profit organizations,” officials said.

Thomas Koenig, senior media strategist for Goldin Solutions, said in an email to Boston 25 on Tuesday that MOVEit disclosed the vulnerability on May 31, and deployed a patch the same day.

No UMass Chan or state systems were compromised in the incident, officials said. Impacted individuals have been sent notice by mail and will be contacted by phone, text, and e-mail where possible.

“Any individual who receives a notice is encouraged to take steps to protect their information, including monitoring their financial account statements and enrolling in free credit monitoring and identity theft protection offered to individuals who had certain sensitive information involved,” officials said.

Officials are also asking people who may have been impacted by the breach to “to remain vigilant” by reviewing their financial account statements.

“If you see charges or activity that you did not authorize, contact your financial institution immediately,” officials said in their statement. “Take steps to protect your accounts by contacting your bank, credit union, or financial institution immediately by using the number on the back of your bank card or by visiting in person to notify them of your involvement in this security incident.”

UMass Chan provides services to the Executive Office of Health and Human Services including for MassHealth, the State Supplement Program, Family Resource Centers, the Executive Office of Elder Affairs and Aging Services Access Points. Impacted individuals are a subset of current or recent participants in these programs.

“UMass Chan first learned about the MOVEit vulnerability on June 1, 2023 and immediately fixed the vulnerability, contacted law enforcement, launched an investigation and worked to identify the individuals whose information was involved. UMass Chan identified the files that may have been subject to unauthorized acquisition as a result of the MOVEit security flaw,” officials said. “On July 27, 2023, UMass Chan determined that some of these files contained information pertaining to individuals who received services from EOHHS.”

While the information involved in the data security incident varied by person, it included names and one or more of the following:

• Dates of birth,

• Mailing addresses,

• Protected health information, i.e., diagnosis/treatment information, prescription information, provider names, dates of service, claims information, health insurance member ID numbers, and other health insurance related information,

• Social Security numbers,

• Financial account information

State Supplement Program participants (including recipients, other members of the household and authorized representatives), MassHealth Premium Assistance members, MassHealth Community Case Management participants, and Executive Office of Elder Affairs and Aging Services Access Points home care program consumers were primarily impacted. If you do not participate in one of those programs, it is unlikely your data was exposed.

Beginning on Tuesday, individuals whose information was involved will receive letters from the state and UMass Chan, officials said. The letter explains what data was impacted for each individual, the actions taken in response to the MOVEit incident and detailed steps that individuals can take to protect their information.

UMass Chan is offering free credit monitoring and identity theft protection services to individuals whose Social Security numbers or financial information were involved in this incident.

For more information, visit mass.gov/MOVEitIncident or umassmed.edu. Individuals who receive notification that their data is involved and have further questions may call 855-862-7769, Monday through Friday, from 9 a.m. to 5 p.m.

For information on how to report identity theft, click here.

This is a developing story. Check back for updates as more information becomes available.

Download the FREE Boston 25 News app for breaking news alerts.

Follow Boston 25 News on Facebook and Twitter. | Watch Boston 25 News NOW