On December 4th, 2023, Prime Healthcare, a medical service provider based in Ontario, California, confirmed it was affected by the MOVEit data breach. According to a statement by the health system, the breach was linked to Prime Healthcare through its revenue cycle management vendor, CBIZ KA Consulting Services, LLC (CBIZ KA). CBIZ KA used Progress Software's MOVEit Transfer solution, a zero-day vulnerability that was exploited by a Russian-linked ransomware hacking group in late May 2023. Once notified of the breach, the third-party vendor launched an investigation, with the assistance of cybersecurity professionals, into the nature and scope of the MOVEit vulnerability.
From its investigation, CBIZ KA uncovered multiple patient information had been accessed during the breach, and on September 20th, 2023, the vendor sent Prime Healthcare files of its patients involved, which contained the name and one or more of the following for certain patients:
- Admission date
- Date of birth
- Discharge date
- Medical record number
- Social Security Number
Since the announcement, the identified vulnerability on the MOVEit Transfer server has been patched. CBIZ KA also claims it has taken extra steps to review the protocols in place with its vendors to help prevent another incident like this from happening again. Prime Healthcare serves more than 600 communities across 14 states and employs nearly 50,000 employees and physicians in Alabama, California, Florida, Georgia, Indiana, Kansas, Michigan, Missouri, Nevada, New Jersey, Ohio, Pennsylvania, Rhode Island, and Texas. CBIZ KA Consulting Services, LLC is based in East Windsor, NJ, and assists hospitals and healthcare systems with the intricacies of reimbursement.
Who Was Affected by the Data Breach?
While Prime Healthcare operates 45 hospitals, only nine were affected by the MOVEit data breach. Affected facilities include hospitals located in New Jersey, Pennsylvania, and more. Listed below is the complete list of Prime Healthcare hospitals affected by the MOVEit data breach:
- Saint Clare's Hospital
- Saint Michael's Medical Center
- St. Mary's General Hospital
- Roxborough Memorial Hospital
- Lower Bucks Hospital
- Suburban Community Hospital
- Garden City Hospital
- Lake Huron Medical Center
- Landmark Medical Center
If you are a registered patient at any of the above-listed hospitals, you may be affected by the breach. For more information on which locations were affected by the breach, we highly encourage you to contact your local Prime Healthcare facility or contact a Morgan & Morgan data breach attorney today.
What Is the MOVEit Data Transfer Breach?
The MOVEit is a file transfer platform was created by Progress Software Corporation, an American public company that offers software for creating and deploying business applications. The MOVEit system is used by thousands of governments, financial institutions, and other public and private sector bodies around the world to send and receive large amounts of often sensitive data, including pension information, social security numbers, medical records, billing data, and more. Many companies and other global establishments targeted by Cl0p first noticed the breach in May 2023. However, hundreds of companies have yet to discover if they have been affected by the breach.
Who is Cl0p?
CL0P is a member of the Russian-language Cryptomix ransomware family and is a dangerous file-encrypting malware that intentionally exploits vulnerable systems and encrypts saved files with the ".Clop" extension. Since 14, 2023, the ransomware operation has claimed the hacks related to the MOVEit data breach. According to the Federal Bureau of Investigation, Cl0p has accessed stored information, including addresses, authorization information, claim information, dates of birth, names, social security numbers, and more from the MOVEit system. Using this stolen information, Cl0p can demand ransom from the companies it targets.
What Security Options Are Available for Those Affected by the Recent Breach?
CBIZ KA is offering complimentary credit monitoring and identity protection services through Kroll to eligible individuals whose Social Security numbers may have been involved in the incident. Those affected by the breach should receive a notice letter by Wednesday, December 13th. If you believe you are affected by this incident and do not receive a notice letter, please call (866) 547-6909, Monday through Friday, between 9:00 a.m. to 6:30 p.m. Eastern Time, excluding major U.S. holidays.
Those who have yet to receive notice from CBIZ KA or their Prime healthcare providers regarding whether they have been affected by the breach should also take extra precautions to monitor their credit through available credit monitoring tools like those provided by credit unions like Equifax, Experian, and Transunion, who offer one free credit check a year. Victims can also use Credit Karma to access free, daily credit monitoring. For more information on what options are available to you, contact a Morgan & Morgan attorney today.
Victims Should Contact a Morgan & Morgan Data Breach Attorney
Working with an attorney can significantly increase your odds of recovering any damages you or your loved ones may have suffered due to the data breach. When speaking with an attorney, they will help you understand your legal options and ensure you are well-equipped to fight back if you are up against entities that would try to dismiss any liability for their negligence after third-party hackers like Cl0p have stolen your private information.
MOVEit Data Breach Victims Can Afford To Hire an Attorney
When working with other law firms, they may charge you hourly rates or generally any fees at all upfront. Unlike them, we understand how hiring an attorney may not be the most cost-effective decision when sustaining the lives of those you love. This is why when you decide to work with us, our attorneys work on what is called a "contingency fee" system. The contingency fee allows you the flexibility to work with quality attorneys without the fear of breaking the bank.
For more information on the contingency fee and the MOVEit data breach, or if you have been recently affected, contact a Morgan & Morgan data breach attorney today. Victims can connect with one of our attorneys by completing our free, no-obligation case evaluation form.