Maximus, a U.S. government contracting major player, confirmed on July 26 that hackers accessed the protected health data of up to 11 million individuals. The data was compromised when Maximus used MOVEit Transfer, an enterprise file transfer tool developed by Progress Software. MOVEit is implemented by thousands of governments, financial institutions, and other private and public companies across the globe. Maximus uses MOVEit "for internal and external file sharing purposes, including to share data with government customers pertaining to individuals who participate in various government programs."
Maximus contracts with local, state, and federal governments by managing programs such as Medicaid, Medicare, healthcare reform, student loan services, and welfare-to-work. Because of the complex involvement with these government programs, the data hackers encountered personal information such as "social security numbers, protected health information and/or other personal information."
Not only is the type of data the hackers accessed significant, but the hackers could have accessed the data of 11M individuals. This breach would be the most extensive healthcare data breach in 2023, but, more importantly, the most significant breach resulting from the recent MOVEit mass-hacks.
The MOVEit mass hacks, which began in May 2023, have been linked to Cl0p, a Russian data extortion group that has stolen an estimated 169 gigabytes of data from Maximus alone. Maximus is by no means the only organization affected by Cl0p. The extortion group announced last week through its leak website that Deloitte, Flutter, and Toyota's data was also leaked. According to Emsisoft, a cybersecurity company tracking the mass-hacks, about 500 organizations and the personal information of almost 35 million people have been impacted. About 76% of these known victims are U.S.-based organizations.
How Did It Happen?
On May 30, 2023, Progress Software announced it had discovered a vulnerability in MOVEit Transfer. It was later revealed this vulnerability was known by Progress Software on May 27. In June, Progress Software warned customers of two additional vulnerabilities. All of these vulnerabilities could have enabled Cl0p to move in.
What Happens Next?
In Maximus's 8-K filing with the SEC, the organization stated that it promptly began investigating the incident. Maximus did not file the 8-K until July 26, 2023. In the 8-K, Maximus expressed its plans to begin notifying impacted customers and federal and state regulators. Maximus will offer those affected free credit monitoring and identity restoration services for an undisclosed amount of time.
Additionally, in the 8-K, Maximus noted that they estimated the cost of this hack would only be $15M for the organization, with the caveat that they still have a few weeks of investigation ahead of them. We have noted a few critical issues related to the $15M estimation.
- Class Actions and Legal Fees: The first issue with this estimation is there needs to be a mention as to if the $15M accounts for potential class actions and additional legal fines. With a possible 11 million people at risk, it is unclear if the $15M accounts for lawsuits.
- Future Protection of Data: Maximus will likely need to make costly changes to protect data in the future. There are direct and indirect costs associated with such changes. There is no indication of whether these costs are included in the $15M.
A conservative disclosure would address all potential costs likely to result from the breach or at least a statement that the costs could not be currently estimated. This might place Maximus in the position of being required to update the 8-K in the future.
- Major Contracts at Risk: Maximus has a $6.6B contract with the U.S. Department of Health and Human Services. If Maximus loses this contract, their loss will undoubtedly surpass $15M. There is no indication that the contract is at risk. This issue was not addressed at all in the 8-K. That position may very well be defensible, but companies should have clear disclosure controls on how they determine likely outcomes.
- Timing: As stated above, Maximus filed its 8-K on July 26 – approximately two months after it initiated an investigation. In June, the U.S. SEC staff recommended legal action against SolarWinds Employees, including the Chief Information Security Officer, concerning their response to a 2020 cyberattack. Additionally, in the SEC’s newly adopted Cybersecurity Rules, the SEC requires public companies to file an 8-K within four business days after determining that the cybersecurity incident is material. Taken together, the timing of Maximus’ 8-K filing could be cause for concern.
Both the timing of the Maximus 8-K, as well as its contents, raise questions. The SEC is highly focused on cybersecurity incident disclosure. Public companies need to have clear and effective cybersecurity incident disclosure controls. This area will be complicated until patterns of compliance are established.