The Indiana Family and Social Services Administration (FSSA) announced on Friday that a security breach exposed the personal information of more than 744,000 Indiana Medicaid members. The breach occurred in late May when a software application used by one of Medicaid’s contractors, Maximus Health Services, was compromised by a cyberattack. The software, called MOVEit, is used to transfer files securely between Maximus and the FSSA.
The FSSA said that the names, addresses, case numbers and Medicaid numbers of over 744,000 members were exposed in the breach. Additionally, the Social Security numbers of four Medicaid members were also impacted. The FSSA stated that the breach affected companies and organizations worldwide that use the MOVEit application.
How did the FSSA respond?
The FSSA said that it was notified by Maximus of the breach on June 18, 2023, and that it immediately launched an investigation to determine the extent and impact of the incident. The FSSA also said that it notified the federal Centers for Medicare and Medicaid Services (CMS), the Indiana Attorney General’s Office, and other relevant authorities.
The FSSA said that it is working closely with Maximus to ensure that all affected Medicaid members are contacted and offered free credit monitoring and identity protection services for 24 months. The FSSA also said that it is reviewing its contract with Maximus and its security protocols to prevent future breaches.
What can affected members do?
The FSSA advised all affected Medicaid members to enroll in the free credit monitoring and identity protection services offered by Maximus as soon as possible. The FSSA also urged them to monitor their credit reports, bank accounts, and other financial statements for any suspicious activity or unauthorized charges.
The FSSA said that affected members can call 1-833-919-4749 for more information or assistance. The FSSA also provided some tips from the CMS on how to protect their personal information from identity theft, such as:
- Obtaining a free credit report every 12 months from each of the three major credit reporting companies: Equifax, Experian, and TransUnion.
- Identifying any accounts or inquiries that they did not open or authorize, and contacting the credit reporting company to correct any errors.
- Checking their credit reports periodically for any changes or signs of fraud.
- Reporting any suspicious activity or misuse of their information to their local law enforcement agency and filing a police report.
- Filing a complaint with the Federal Trade Commission (FTC) online at www.ftc.gov/idtheft, by phone at 1-877-IDTHEFT (1-877-438-4338), or by mail at Federal Trade Commission, Consumer Response Center, 600 Pennsylvania Avenue, NW, Washington, DC 20580.
What are the implications of the breach?
The data breach is one of the largest to affect Indiana’s Medicaid program, which serves about 1.6 million low-income and disabled residents. The breach could expose the affected members to identity theft, fraud, phishing, or other cybercrimes. The breach could also damage the trust and confidence of the public in the state’s health care system and its contractors.
The breach also raises questions about the security and oversight of third-party vendors that handle sensitive health information for government agencies. The FSSA said that it is conducting a comprehensive review of its contract with Maximus and its security measures to ensure compliance with federal and state laws and regulations. The FSSA also said that it is exploring legal options to hold Maximus accountable for the breach.
