Data Media Associates, a Georgia-based value-added solutions provider serving the healthcare industry, has learned of a data security incident that may have involved personal and/or protected health information. DMA works with its client healthcare organizations to provide printing, mailing, and other healthcare billing fulfillment services. DMA has sent notification of this incident to potentially affected individuals and provided resources to assist them.
In June 2023, DMA became aware of an alert issued by the Cybersecurity and Infrastructure Security Agency (“CISA”) addressing a critical vulnerability affecting MOVEit Transfer, a managed file transfer solution used widely by businesses and government agencies, including DMA, to securely transfer data. After becoming aware of the alert, DMA took immediate steps to patch its MOVEit system in accordance with the developer’s instructions. MOVEit deployed a patch on May 31, the same day the vulnerability was reported. See here: MOVEit Transfer Critical Vulnerability (May 2023).
DMA thereafter undertook a comprehensive investigation with the assistance of leading external experts to learn more about the scope of any potentially affected data. Our investigation concluded on June 30, 2023, and revealed that certain data stored within MOVEit may have been acquired without authorization. Since that time, we have been working diligently to provide notice to our client healthcare organizations and gather information needed to provide notification to potentially affected individuals.
DMA provided notice of this incident to the potentially impacted individuals beginning on August 23, 2023. In so doing, DMA provided information about the incident and about steps that potentially affected individuals can take to protect their information. DMA takes the security and privacy of individuals’ information very seriously. It has taken all remediation measures recommended by the MOVEit software developers and will be evaluating additional safeguards that can be put in place to further enhance the security of the data entrusted to it.
The following information may have been involved in the incident: Individuals’ names, addresses, and high-level medical or health insurance information such as would appear on billing statements, invoices, or other claims-related documents. In some instances, the involved data also included health insurance ID numbers, which DMA understands may be the same as individuals’ Social Security numbers.