SUBSTITUTE AND MEDIA NOTICE OF OUTSIDE VENDOR DATA SECURITY INCIDENT
Posted 10/5/2023
On May 31, 2023, Progress Software, the publisher of the MOVEit® Transfer secure file transfer platform, disclosed a zero-day vulnerability in its MOVEit software that had been exploited by an unauthorized third party who was able to download certain files from MOVEit Transfer.
- CBIZ KA uses MOVEit Transfer to securely transfer data files in the normal course of business. On August 7, 2023, Tanner Health System (THS) received notice from CBIZ KA that some THS files were involved in the incident. CBIZ KA has stated that it promptly launched an investigation, with the assistance of cybersecurity professionals, into the nature and scope of the MOVEit vulnerability. Through the investigation, CBIZ KA learned that an unauthorized party accessed a MOVEit Transfer server between May 29 and June 5, 2023, and downloaded data.
- CBIZ KA reviewed the files involved and, on September 11, 2023, informed THS that the files contained the name and one or more of the following for certain THS patients: address, insurance/guarantor information, diagnosis codes, claim amount, date of birth. Files vary by individuals. THS patient/guarantor Social Security, credit card and bank routing numbers were NOT involved.
- CBIZ KA will be mailing letters to the last known address of potentially affected individuals and will be opening a dedicated, toll-free call center to answer questions about the incident. Meanwhile, if individuals believe they were affected by this incident and do not receive a notice letter by approximately October 31, 2023, they can call 1-800-298-2295, Monday through Friday, between 10:00 am to 5:00 pm Eastern Time (excluding major U.S. holidays). They should leave a message, and someone will return the call.
Please do not contact Tanner directly because Tanner's hospital operators will not necessarily be familiar with this incident. Tanner's computer systems were not involved.
According to CBIZ KA, the identified vulnerability on the MOVEit Transfer server has been patched, and CBIZ KA also reviewed the protocols in place with vendors to help prevent something like this from happening again.
As always, individuals should remain vigilant against incidents of identity theft and fraud by reviewing their financial account statements and monitoring their free credit reports for suspicious activities and to detect and respond to errors. Individuals may obtain a copy of their credit report, free of charge, once every 12 months from each of the three nationwide credit reporting companies. To order their annual free credit report, individuals should visit www.annualcreditreport.com or call toll free at 1-877-322-8228. Contact information for the three nationwide credit reporting companies is as follows:
- Equifax, PO Box 740241, Atlanta, GA 30374, www.equifax.com, 1-888-378-4329
- Experian, PO Box 2002, Allen, TX 75013, www.experian.com, 1-888-397-3742
- TransUnion, PO Box 1000, Chester, PA 19016, www.transunion.com, 1-800-916-8800
More on this incident from CBIZ is available at https://kaconsults.cbiz.com/notice-of-data-security-incident.