Russian hackers accessed the personal information of 110,000 residents of Pima County, Arizona whose data was held by Maximus Health Services, who was contracted by the county for contact tracing during the COVID-19 pandemic.
The government contracting giant acknowledged between 8 and 11 million people had their information breached by hackers in a July filing with the Securities and Exchange Commission (SEC), and this week confirmed about 110,000 Pima County residents were affected, according to KJZZ, which added that the county “contracted with Maximus” for contact tracing during the pandemic.
Contact tracing is the process of tracing the movements of individuals who test positive for COVID-19 to locate individuals who were in close proximity and inform them of their increased risks, allowing them to self-isolate or take other precautions. Local media reported that Pima County employed just 30 people for local contact tracing in May of 2020, but planned to double their ranks at the time. The total number of American contact tracers was predicted to explode by more than 100,000 over the course of the pandemic.
Maximus primarily contracts with federal and state governments to administer programs including Medicaid, Medicare, and welfare programs. The company is contacting affected residents of Pima County to inform them and offer two years of free Experian credit monitoring and identity theft restoration services, but reportedly lacks contact information for 40,000 residents. A total of 360,000 Pima County residents had patient records held by Maximus, meaning just under one third had information stolen.
Arizonans’ personal information was accessed via MOVEit, a popular third-party file transfer program, which was hacked in May. According to TechCrunch, Russia-linked data extortion group Clop was responsible for the MOVEit hacks, and claims to have 169 gigabytes of data stolen from Maximus.
In its filing, the company acknowledged that “personal information, including social security numbers, protected health information, and/or other personal information” of up to 11 million people was included in the breach. However, KJZZ’s reporting indicates Maximus does not believe social security numbers were included in the data breach for residents of Pima County.
The company claimed it already spent $15 million to address the hack by June 30, but said it is “unable to predict other potential liabilities or consequences that may arise from this incident.”
Maximus did not respond to a comment request from The Arizona Sun Times seeking more details about how the breached data was gathered by Maximus, to determine if other Arizona counties were impacted, and to clarify the company’s plan to contact all affected Pima County residents.
A separate press release from the Centers for Medicare & Medicaid Services (CMS) reveals that 612,000 Medicare beneficiaries were impacted by the breach, including a sample letter from Maximus.
The MOVEit hack of Maximus’s data is not the first major healthcare hack this year, as foreign actors were suspected of hacking a Washington, D.C. Obamacare health insurance exchange and obtaining personally identifiable information of hundreds of House members and staff in March.
Separately, a Chinese government-backed hacking group was accused of attacking critical U.S. networks to spy on the United States prior to a future conflict, and a separate Chinese hacking group gained access to confidential emails of at least two senior Biden administration officials.
The hack of data gathered from a COVID-19 preventative measure comes amid increased national discussion over future pandemic responses. Mandatory face masks, another favored pandemic-era measure, were banned in Arizona schools and businesses in 2022.
– – –
Tom Pappert is a reporter for The Arizona Sun Times and The Star News Network. Follow Tom on Twitter. Email tips to [email protected].