Breach Notification , Incident & Breach Response , Managed Detection & Response (MDR)

Medicaid Contractor Data Breach Affected 334,000 Providers

Maximus Corp. Says Personal Information Exposed in Unauthorized Access to App
Medicaid Contractor Data Breach Affected 334,000 Providers

Maximus Corp., a global provider of government health data services, says a data breach exposed the personal information of more than 334,000 Medicaid healthcare providers nationwide.

See Also: A Better Way to Cover the Bases for Breach Protection

The company says in a statement provided to Information Security Media Group that on May 19, it discovered an unauthorized party had accessed one of its applications related to Medicaid provider credentialing and licensing with the Ohio Department of Medicaid between May 17 and May 19.

"This incident did not affect patient or Medicaid beneficiary information. Some personal information about healthcare providers may have been impacted, including names, dates of birth and Social Security numbers," the company states.

A breach notification provided to the Montana attorney general's office says Medicaid providers' Drug Enforcement Agency numbers also may have been exposed in the breach.

System Breached

In a filing with Maine's attorney general, Maximus says 334,690 individuals were affected when one of the company's external systems was breached. The notice states those affected will receive two years of free identity protection services through Experian.

In its statement provided to ISMG, Maximus did not supply a complete list of the states that were informed of the breach nor did the company offer details on the type of attack. The company says it began informing the individuals affected on June 18, along with filing formal data breach notifications with state officials where the victims are located.

As of Wednesday, the incident was not yet listed on the Department of Health and Human Services' website that offers a tally of major health data breaches.

"Because the unauthorized activity was detected at a very early stage, Maximus believes our quick response limited potentially adverse impacts. This incident did not affect any other Maximus servers, applications or customers," the company says in its statement. It says it has no evidence the attackers have misused any of the information.

Maximus, which is based in Reston, Virginia, is an administrator of Medicaid enrollment broker services. The company says it answers more than 7 million Medicaid-related calls per month. It handles similar services in Australia, Canada, Italy, Saudi Arabia, Singapore, South Korea, Sweden and the U.K.

Other Recent Healthcare Incidents

Healthcare providers and their third-party suppliers have been targeted by cybercriminals in increasing numbers.

In a recent data breach notice, Attleboro, Massachusetts-based Sturdy Memorial Hospital said that on Feb. 9, it identified a security incident that disrupted the operations of some of its IT systems affecting about 57,400 people. The hospital reported paying a ransom in exchange for promises by the attackers to destroy stolen data.

On Monday, Reproductive Biology Associates , an Atlanta-based clinic operator, and its affiliate, MyEggBank North America, reported their systems were hit by a ransomware attack in April. The clinic operator says it regained control of its network and data after contacting the attackers.


About the Author

Doug Olenick

Doug Olenick

Former News Editor, ISMG

Olenick has covered the cybersecurity and computer technology sectors for more than 25 years. Prior to his stint as ISMG as news editor, Olenick was online editor for SC Media, where he covered every aspect of the cybersecurity industry and managed the brand's online presence. Earlier, he worked at TWICE - This Week in Consumer Electronics - for 15 years. He also has contributed to Forbes.com, TheStreet and Mainstreet.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.