A Georgia-based company that provides administrative services for fitness plans has joined other companies in reporting a major fitness data hack related to the use of Progress Software’s MOVEit record transfer software.
See Also: Live Webinar | Generative AI: Myths, Realities, and Practical Use Cases
In a report filed Friday with Maine’s attorney general, NASCO said about 805,000 more people were affected (adding 2,840 Maine citizens) through a hack involving MOVEit about six months ago, over Memorial Day weekend.
In its filing, NASCO said that on May 30, the company experienced a data security incident in which a malicious actor acquired data from NASCO’s MOVEit software.
“When NASCO became aware of this incident on July 12, it temporarily took steps to protect its systems, initiated an investigation with a major cybersecurity firm, and notified law enforcement authorities,” the company said in its pattern violation notice. , some private data of fitness plan members was compromised in the incident, the company said.
That data includes people’s names, Social Security numbers and identifiers, NASCO said.
NASCO said its MOVEit server affected by the attack was taken down and is no longer available on the internet, and that the company is no longer MOVEit.
“Forensic evidence showed no activity by malicious actors outside of exploiting the MOVEit vulnerability. NASCO continues to work with authorities on this issue,” the company said.
To help prevent similar incidents in the future, NASCO said it has implemented additional procedures for the security of its IT environments. The company also provides Americans with 24 months of free identity and credit monitoring.
NASCO joins a large and developing number of corporations affected by the MOVEit hacks, adding other third-party vendors that provide administrative and similar services to healthcare organizations.
As of Tuesday, the NASCO MOVEit incident had not yet been posted on the U. S. Department of Health and Human Services’ Office of Civil Rights Violations Reporting Tool website. In the U. S. , the directory of fitness knowledge violations affects 500 or more people.
But among the other major MOVEit incidents added to HHS’s HIPAA violation online page in recent weeks was an attack affecting roughly 136,000 people reported through Radius Global Solutions, a Pennsylvania-based provider that provides profit cycle control to healthcare entities and customers. . in other sectors.
The data potentially compromised by the Radius hack includes people’s names, dates of birth, social security numbers, medical remedy codes, remedy locations, and remedy payment history, adding the fitness insurance provider.
Florida-based Arietis Health, another provider of profit cycle monitoring for the healthcare industry, recently told regulators that it was the victim of a MOVEit hack that affected 55 medical providers and approximately 2 million more people (see: