Ohio Medicaid providers’ data may have been exposed from data breach

A state contractor shared Monday that Ohio Medicaid providers may have had their personal data exposed a month ago when someone gained unauthorized access to an app.

Ohio Medicaid said on Monday it was notified by its data manager, Maximus, that it had a cybersecurity incident around May 17. This potentially exposed provider names, social security numbers, addresses, and other information.

Ohio Medicaid stated the department is monitoring the progress of the investigation and will continue working with Maximus as they remedy the situation. All questions were directed to Maximus.

People covered by Medicaid were not affected. The company said the incident did not affect any other Maximus servers, applications, or customers and said there is no evidence that any of the information has been misused.

An application with Ohio credentialing and licensing data was accessed by an unknown party between May 17 and May 19.

Maximus mailed letters to affected providers on Friday, June 18.

Maximus said in a statement that it “promptly took the impacted application offline, launched an investigation with a leading cybersecurity firm, activated response protocols, and notified law enforcement.”

“Because the unauthorized activity was detected at a very early stage, Maximus believes our quick response limited potentially adverse impacts,” Maximus stated.

Maximus is one of the largest contractor of government health data services in the world.

People with data that may have been exposed can get two years of credit monitoring services and will receive a mailed letter with credit monitoring instructions.

Challenges with data breaches aren’t isolated to the incident with Maximus.

The Dayton Daily News reported Sunday that companies of all sizes must bolster their cybersecurity defenses as emboldened hackers launch high-profile and costly ransomware attacks.

New hacking opportunities also opened during the pandemic when companies sent employees home to work on equipment that was less secure than in the office and as remote employees became more reliant on email, a common entry point for cyber intruders.

Dave Salisbury, director of the center for cybersecurity and data intelligence at the University of Dayton, had called it an “arms race” and said attackers have an advantage. They need only find a limited number of places where an organization is vulnerable to intrusion, whereas business owners must focus on all aspects of running the company, including cybersecurity.

“The bad guys are going to be coming up with new tricks all the time,” Salisbury said.

In 2020, ransomware attacks hit 560 health care facilities in the U.S., according to Emsisoft, a New Zealand-based cybersecurity company.

The largest was an attack on Universal Health Services, which operates about 400 hospitals and other healthcare facilities. Other major incidents included cyberattacks on Boston Children’s Hospital, Crozer-Keystone Health System, University of Vermont Health Network and Lake Region Healthcare, according to according to Emsisoft’s State of Ransomware in the U.S. report.

In at least 12 incidents stolen private health information and other sensitive data was published online

“The impact of the attacks was alarming: ambulances were rerouted, radiation treatments for cancer patients were delayed, medical records were rendered temporarily inaccessible and, in some cases, permanently lost, while hundreds of staff were furloughed as a result of the disruptions,” according to the report.

Credit: Alexis Larsen

Credit: Alexis Larsen

About the Author