Department of Social Services encourages Missourians to monitor and protect their identity after third-party cyber-attack

JEFFERSON CITY – The Department of Social Services encourages Missourians to monitor and protect their identity after third-party cyber-attack

 

The Missouri Department of Social Services (DSS) is responding to a May 2023 data security incident that occurred with IBM Consulting (IBM) that involved Progress Software’s MOVEit Transfer software. IBM is a vendor that provides services to DSS, the state agency that provides Medicaid services to eligible Missourians. The data vulnerability did not directly impact any DSS systems, but impacted data belonging to DSS. DSS took immediate steps in response to this incident that are ongoing.

 

The incident involved a critical vulnerability in MOVEit Transfer, a third-party software application used by IBM. The MOVEit vulnerability has impacted many organizations in the United States and around the world.

 

Medicaid participant protected health information may have been accessed by an unauthorized party in this security incident.  DSS is providing this notice to help Missourians understand the incident, what we are doing, and the steps Missourians can take to protect their information.

 

What happened and what are we doing?

 

IBM notified DSS of the incident on June 2, 2023, informing DSS that IBM had applied any recommended MOVEit software fixes and had stopped using the MOVEit Transfer application while they investigated to determine if any DSS data had been accessed.  DSS immediately began investigating and working with the appropriate entities to ensure the security of DSS systems and information. No DSS systems have been found to have been impacted by this incident, but will continue to be monitored.

 

On June 13, 2023, IBM notified DSS that DSS should presume at that time that certain files saved in the MOVEit software application were accessed by an unauthorized user.  Based upon the types of files believed to have been accessed, DSS determined that the files may have contained Medicaid participant protected health information. DSS was able to obtain a copy of the files believed to have been accessed and we are still analyzing the contents of those files. Due to the size and formatting of the files, it will take some time to complete this analysis.

 

While this analysis is ongoing, DSS is sending letters to those individuals who are potentially impacted by this incident so that they can take steps to protect their personal information. If DSS determines that additional information or additional individuals may have been impacted, an additional notice will be provided to those individuals. The notice contains information regarding this security incident, what actions DSS is taking in response to this incident, provides information on how Missourians can obtain a free credit report, and steps they can take to monitor their credit and accounts.

 

DSS is continuing to investigate this incident, and we will take all appropriate actions to protect and safeguard Missourians’ information that has been entrusted to DSS.

 

What information was involved?

 

The information involved in this incident may include an individual’s name, department client number (DCN), date of birth, possible benefit eligibility status or coverage, and medical claims information.

 

DSS is still reviewing the files associated with this incident. This will take us some time to complete. These files are large, are not in plain English, and are not easily readable because of how they are formatted.   We are working to analyze these files as quickly as possible, and will contact additional people individually should we determine during this review that different or additional information or individuals were potentially impacted.  

 

What actions can I take to ensure my information is safe?

 

Even though our investigation is ongoing, individuals can take steps now to freeze their credit for free, which stops others from opening new accounts and borrowing money in their name, while allowing them to continue to use existing credit cards or bank accounts. DSS encourages Missourians to review and/or monitor their credit reports during this time. Missourians can freeze their credit or request a free credit report from the three major reporting services.

 

Experian

1-888-397-3742

www.experian.com

 

Equifax

1-800-685-1111

www.equifax.com

 

TransUnion

1-888-909-8872

www.transunion.com

 

There has been no indication to date during the investigation that DSS data has been misused, but we encourage potentially impacted Missourians to be vigilant.

 

Who can I contact for more information?

 

DSS takes the privacy and security of Missourians’ personal information very seriously and we regret that this incident has occurred. DSS has partnered with IDX, a ZeroFox Company, to assist Missourians whose information may have been affected by setting up a dedicated call center and incident response website to help answer any questions or concerns. Additional information obtained through our investigation will also be available through this dedicated call center and incident response website. The phone number for the dedicated call center is (888) 220-4761 and is open from 8 a.m. to 8 p.m., CST, Monday through Friday, except major U.S. holidays. DSS’ dedicated incident response website, which may answer many of the common questions that potentially affected Missourians may have and will contain updates on our investigation, can be found at https://response.idx.us/missouri.