Data of “At Least” 8m US Patients Hacked According To Government Contractor

Hackers exploited a vulnerability in MOVEit Transfer according to a government services contractor.

Hackers have accessed protected health information of “at least” 8 to 11m individuals in a report confirmed by US government services contractor Maximus, resulting in a potentially huge data breach.

Maximus is a Virginia-based technology company that helps streamline government services – such as Medicaid, Medicare and welfare-to-work – at a local, state and federal level.

This particular data breach is just one of many that has contributed to a new record of 1,393 data compromises, seen in the first half of 2023. This is in comparison to 2021’s total number of 1,862.

Social Security Numbers And Health Information Affected

In an 8-K filing earlier this week, Maximus confirmed that the personal information – which includes Social Security numbers and protected health information – of individuals had been accessed by hackers who were able to exploit a zero-day vulnerability within MOVEit Transfer.

MOVEit Transfer is a solution used by Maximus to share data with its government customers about the individuals who use its programs.

Remove your data from the internet

Incogni by Surfshark can help you protect your identity and remove your data from the web.

Maximus hasn’t yet confirmed what specific health data was accessed, but it has began to notify customers and federal and state regulators who have been impacted. The company has also estimated that the entire incident will cost around $15m to investigate and rectify.

The company expects a full report on the number of individuals impacted to take “several more weeks”. It has also stated that there could be up to 11m people impacted, which would make this the largest breach of healthcare data this year.

According to The Identity Theft Resource Center, the healthcare sector is the worst hit when it comes to data compromises, with 379 counted in the first half of this year alone.

Steps your company needs to take to stay cyber safe.

Maximus Just One Of Hundreds Hit By MOVEit Transfer Hacks

The outfit behind the recent breach is Clop, a Russia-linked data extortion group, who upload hacked information onto their dark web leak site. As well as recently attacking PwC and Ernst & Young, Clop has claimed to have also hacked Deloitte and Flutter, who own Fox Bets and Poker Stars, this week alone.

Clop claims to have stolen 169GB of data from Maximus but none of it has been published yet.

The hackers have also claimed Pensions Benefit Information, who provide pensions plan management services across a range of sectors, as another recent victim. The company confirmed the breach but hasn’t stated how many individuals have been affected.

However, four clients of the Pensions Benefit Information have stated that the data of more than 4.75m people was accessed.

This latest data breach by Clop contributes to more than 500 organizations who have been impacted by the mass MOVEit hacks, which have in turn affected more than 34.5m people.

Did you find this article helpful? Click on one of the following buttons
We're so happy you liked! Get more delivered to your inbox just like it.

We're sorry this article didn't help you today – we welcome feedback, so if there's any way you feel we could improve our content, please email us at

Written by:
Ellis Di Cataldo (MA) has over 9 years experience writing about, and for, some of the world’s biggest tech companies. She's been the lead writer across digital campaigns, always-on content and worldwide product launches, for global brands including Sony, Electrolux, Byrd, The Open University and Barclaycard. Her particular areas of interest are business trends, startup stories and product news.
Explore More See all news
Back to top
close Thinking about your online privacy? NordVPN is's top-rated VPN service See Deals