November 08, 2023

Department of Community Health Notice of MOVEit Data Security Incident

Georgia Department of Community Health Provides Notice of MOVEit Data Security Incident

On behalf of the Georgia Department of Community Health (the "Agency"), Maximus Health Services, Inc. (Maximus) is providing notice of an incident that involved certain individuals' information. Maximus was formerly a contractor to the Agency to support certain government programs. Information affected in this incident was shared with Maximus for administrative purposes.

The incident involved a critical vulnerability in MOVEit Transfer, a third-party software application provided by Progress Software Corporation (Progress). Maximus is among the many organizations in the United States and globally that have been impacted by the MOVEit vulnerability. 

On May 30, 2023, Maximus detected unusual activity in its MOVEit environment; Maximus promptly began to investigate with the help of nationally recognized cybersecurity experts. Early in the day on May 31, 2023, Maximus took its MOVEit application offline. Later that same day, Progress first publicly announced a previously unknown vulnerability in its MOVEit software, which an unauthorized party used to gain access to files of many MOVEit customers. Maximus subsequently applied vendor recommended actions, including applying new patches made available by Progress, to address the vulnerability.

Maxims engaged a forensic investigation firm and a data analysis firm to identify affected individuals and the types of information involved. Maximus learned that on approximately May 27 - 31, 2023, the unauthorized party obtained copies of certain files that were saved in the Maximus MOVEit application. After learning about the files, Maximus began to analyze the files to determine which data was affected. On August 17, 2023, Maximus notified the Agency that our investigation determined that the files contained some personal information. The information involved varied by individual and may include name, address, email address, telephone number, date of birth, Social Security number, medical record number, case number, medical history, condition, treatment, or diagnosis, health insurance information, and claims information.

Maximus is offering two years of complimentary access to Experian IdentityWorks. Although the investigation has determined that the incident did not impact our systems directly, beyond our MOVEit application, we continue to enhance our cybersecurity program to safeguard from cyber threats. We also notified and are cooperating with law enforcement.

As good practice, it is recommended that individuals regularly monitor account statements and monitor free credit reports. If individuals identify suspicious activity, it is recommended that they contact the company that maintains the account.

Maximus takes the privacy and security of personal information very seriously and regrets that this incident occurred.

Individuals with questions or concerns should contact Maximus at 833-919-4749 toll-free Monday through Friday from 8 a.m. - 10 p.m. Central, or Saturday and Sunday from 10 a.m. - 7 p.m. Central (excluding major U.S. holidays) and, if they received a notification letter in the mail, they should be prepared to provide the engagement number provided in that letter. Individuals may also contact Maximus by mail at: 1600 Tysons Blvd., Suite 1400, McLean, VA 22102.

To see CareSource's notice on complimentary credit monitoring services for its members, click Download this pdf file. here .