The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Pension Benefit Information Confirms PHI of 1.2 Million Individuals Stolen in MOVEit Transfer Hack

Posted By on Jul 19, 2023

Pension Benefit Information, LLC, doing business as PBI Research Services (PBI), has recently announced that the protected health information of up to 1,209,825 individuals was exposed and potentially stolen by the Clop ransomware group in an attack that exploited a zero-day vulnerability in the Progress Software’s MOVEit Transfer file transfer solution on or around May 31, 2023. Pension Benefit Information provides pension management services and its clients include insurance companies, financial institutions, and third-party administrators.

PBI said the breach was discovered on June 2, 2023, and the patch to fix the flaw was applied the same day. The forensic investigation confirmed that one of PBI’s MOVEit Transfer servers was accessed by the Clop hackers on May 29 and May 30, 2023. The files stolen in the attack included names, partial mailing addresses, dates of birth, and Social Security numbers. PBI said it could not determine exactly how many individuals had their information stolen but that number was potentially more than 1.2 million.

While data was stolen, PBI was unaware of any actual or attempted misuse of the stolen information at the time of issuing notification letters. As a precaution, affected individuals have been offered 12/24 months of complimentary credit monitoring and identity theft protection services. Notifications started to be sent to the affected individuals by PBI and Milliman Solutions LLC on June 4, 2023. The breach was notified to HHS’ Office for Civil Rights on July 14, and to the Attorney General of Maine on July 17.

Why the Milliman Solutions Connection is Significant

Milliman Solutions LLC provides risk assessment services to a global customer base – including U.S. insurance companies. When PHI is disclosed to Milliman Solutions by a health insurance company for risk assessment purposes, Milliman Solutions becomes a business associate of the health insurance company under HIPAA.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

The connection between PBI and Milliman Solutions LLC is that when Milliman Solutions needs to verify that a policy-holder has passed away on behalf of an insurance company, it contacts PBI. The verification process involves Milliman Solutions sharing personally identifiable information with PBI – making PBI a business associate of Milliman Solutions.

Although the data potentially stolen in the PBI data breach may not have included individually identifiable health information, because it may have been stored in the same designated data set as PHI by Milliman Solutions or one of the health insurance companies it was providing services to, the breach qualifies as a HIPAA data breach and must be notified to all affected individuals and HHS’ Office for Civil Rights.

In the notification made to the Attorney General of Maine, Milliman Solutions reported that insurance companies whose consumer data was affected by the incident include MEMBERS Life Insurance Company (MLIC), CMFG Life Insurance Company (“CMFG”), and The Independent Order of Foresters (“Foresters”). PBI was one of hundreds of organizations to have information stolen by the Clop gang through the exploitation of the MOVEit vulnerability. The ransomware remediation firm Coveware estimates the gang will earn between $75 million and $100 million from the attacks.

LockBit Ransomware Group Announces Attack on Panorama Eyecare

The LockBit ransomware group has recently added Panorama Eyecare to its data leak site and claims to have exfiltrated 798 GB of data from the Colorado-based physician management organization, including data from its clients Eye Center of Northern Colorado, Denver Eye Surgeons, Cheyenne Eye Clinic & Surgery Center, and 2020 Vision Center. Panorama Eyecare has yet to publicly confirm the data breach and it is currently unclear to what extent patient data was involved.

8Base Ransomware Group Adds Kansas Medical Center to its Data Leak Site

Kansas Medical Center, a physician-owned hospital in Andover, KS, has recently been added to the data leak site of the 8Base ransomware group. The threat group claims the attack occurred on June 18, 203, and sensitive patient and employee data was stolen including names, addresses, registration information, and other information. Kansas Medical Center has not publicly announced the attack and it is unclear how many patients have been affected.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist