The US Department of Health and Human Services (HHS) has fallen victim to a data breach, potentially compromising the information of over 100,000 individuals.
According to an HHS representative, the breach occurred due to attackers exploiting a vulnerability in the widely used file-transfer software MOVEit.
This breach is part of a larger supply chain hack orchestrated by a Russian ransomware gang that has affected numerous government agencies, major pension funds, and private businesses.
US Department of Health and Human Services Classified It a 'Major Incident'
While the HHS official did not disclose the specific type of data that was compromised, it was clarified that none of the department's systems or networks were directly compromised.
Instead, the Associated Press reported that the attackers gained access to data managed by undisclosed third-party vendors.
On Tuesday, the HHS reported the breach to Congress, classifying it as a "major incident" due to the potential impact on the data of more than 100,000 individuals.
The breach, which targeted the MOVEit file-transfer program, was unveiled last month and has already affected numerous organizations worldwide.
Among the confirmed victims are the US Department of Energy, various federal agencies, millions of motorists in Oregon and Louisiana, Johns Hopkins University, Ernst & Young, the BBC, and British Airways.
The breach has had far-reaching consequences, with the Tennessee Consolidated Retirement System announcing that data belonging to over 171,000 retirees and beneficiaries was compromised.
Similarly, California's public pension fund revealed that personal data belonging to over 769,000 retired workers and beneficiaries was stolen.
After discovering the breach, Progress Software, the parent company of MOVEit's US maker, immediately notified its customers about the incident on May 31 and provided a patch.
Despite these measures, cybersecurity experts had expressed concerns that sensitive data from numerous companies could by then have had sensitive data quietly exfiltrated.
The hack carried out by the Clop ransomware syndicate has put the stolen data at risk of being exposed online if the victims refuse to comply with the extortion demands.
The US government has acknowledged that multiple federal institutions have fallen victim to cyberattacks that exploit the vulnerability present in the widely utilized file transfer tool.
CISA Confirms Attacks
The Cybersecurity and Infrastructure Security Agency (CISA) has already confirmed that several agencies have suffered attacks due to the exploitation of a security flaw in Progress Software's MOVEit Transfer application.
The Clop ransomware gang, believed to have connections to Russia, has claimed responsibility for these attacks and has started disclosing the names of companies it alleges to have compromised through the MOVEit vulnerability.
While the MOVEit hack has affected multiple institutions, the energy department stated that it immediately mitigated the vulnerability's exposure upon discovering the breach.
The department is collaborating with law enforcement, CISA, and the impacted organizations to investigate the incident and minimize its repercussions.
Jen Easterly, head of CISA, emphasized that the MOVEit hack was mainly opportunistic and did not specifically target high-value data. She assured that this cyberattack does not pose a systemic threat, unlike the SolarWinds hack, which significantly impacted multiple US government agencies in 2020.