The breach was reported on KENS-5 in San Antonio, where one woman whose daughter receives HHS services spoke about receiving a notification letter from Maximus.
According to the letter: “Maximus is a contractor to the Texas Health and Human Services Commission and provides services to support certain government programs. Your minor’s information was affected because this incident affected information shared with us and by us for administrative purposes.”
“The incident involved a critical vulnerability in MOVEit transfer, a third-party software application programmed by Progress Software Corporation. Maximus is among the many organizations in the United States and globally that have been impacted by the MOVEit vulnerability,” it said.
Maximus reported the incident last month to the Texas Office of the Attorney General (OAG). Details published on the state’s data security breach reports page showed that multiple pieces of personally identifiable information were compromised, including:
- Names
- Social Security numbers
- Government ID numbers that may include passports or state ID cards
- Financial information that may include account number or credit and debit card numbers
- Medical and health insurance information
Progress Software Corporation released an advisory about the vulnerability in June.
Data compromises involving 250 or more Texans must be reported to the OAG. Reports come from public entities, private companies, hospitals, schools and higher education entities, among others. Reports must be electronically submitted under a new policy, according to the OAG website.
“Effective Sept. 1, 2023, Texas law requires that all reports be submitted to the Texas Attorney General electronically using the Data Breach Report provided by the OAG. The report to the AG must specify the number of Texans that the business or organization has notified of the breach by mail or email,” it says.
The OAG published three data breach incidents this month involving public-sector entities.
- Tomball reported that some 400,000 Texans had multiple pieces of information compromised including names, driver’s license numbers and government ID numbers such as passports or state ID cards. The city notified affected people, and the report was published Sept. 12.
- The Texas Facilities Commission reported that 1,996 Texans had their names, driver’s license numbers or dates of birth compromised. The OAG published this on Sept. 26.
- Trinity County reported that 379 Texans had multiple pieces of information compromised including names, Social Security numbers and financial information. The county notified affected people by mail, and the report was published Sept. 18.