Indiana Family and Social Services: Data breaches affect 956,000 Medicaid members

Number of data breach victims growing

INDIANAPOLIS — The Indiana Family and Social Services Administration has announced 212,193 Medicaid members who get their health care insurance plans through CareSource were subjected to a global hack of their private information.

Friday’s announcement came on the heals of a Family and Social Services announcement on Aug. 11 in which 744,000 members had their information stolen; that brings the total number of people to a staggering 956,193 Medicaid members.

All of the Medicaid members’ personal information — including names, addresses, Social Security numbers, dates of birth — is in the hands of bad guys.

According to statistics from tech giant IBM, the financial impact of the data breach on Hoosier Medicaid members is more than $157 million.

Medicaid is the federal-state health care insurance program that helps pay for health care for low-income people of any age.

CareSource is contacting Medicaid members affected with information and options for credit monitoring, the state said Friday in a news release.

Victor Wieczorek of GuidePoint Security told News 8, “I anticipate us having many more of these announcements in the weeks and months to come.”

Wieczorek is a self-described good guy hacker. He stress-tests applications and then fixes vulnerabilities for companies.

He told I-Team 8 the hack of the MOVEit software is the biggest in recent memory. It impacts 1,000 companies and more than 60 million people.

“We always have to be on guard. It could happen to the best of us. In this specific case, it wasn’t anything that the Medicaid organization had control over. It was a third-party technology that they put their trust and reliance into,” Wieczorek said.

He says the CLOP Ransomware Gang in Russia is responsible. “Because they’ve been so successful in what they do, it is relatively easy for them to just move on to whatever the next vulnerability is.”

While the hackers are move new targets, Wieczorek said, the people already impacted have to deal with the ramifications of having their information shared.

Meanwhile, he said, the bad guys continue to “open up new accounts, or to gain access to additional information, bank accounts, social media.”

He stresses the importance of accountability for companies that have MOVEit and applications like it.

“We have to hold their feet to the fire to do more security reviews to have these things vetted more fully before we entrust them with our private information,” Wieczorek said.

News release

“FSSA announces managed care entity security breach affecting Indiana Medicaid members

“Incident part of global breach

“INDIANAPOLIS – The Indiana Family and Social Services Administration today announced that software used by managed care entity CareSource experienced a security breach that exposed protected health information of some Indiana Medicaid members.

“The names, addresses, Social Security numbers, dates of birth, gender, medical conditions, diagnoses, medications, allergies, health conditions, member ID and plan name of 212,193 members of Indiana Medicaid who are part of a CareSource managed care plan may have been exposed in the breach.

“The breach occurred in the MOVEit application used by CareSource. The MOVEit application breach affected companies and organizations worldwide and occurred in late May.

“CareSource immediately remediated the breach. CareSource notified FSSA and is contacting all Medicaid members affected with information and options for credit monitoring.

“For questions or additional information, contact CareSource at 1-866-764-7020 Monday through Friday from 9 a.m. to 6:30 p.m. ET.”

News release from Michele Holtkamp of Indiana Family & Social Services Administration sent 10:11 a.m. Sept. 1, 2023