More than 100,000 Pima County residents could be affected by a nationwide data breach that affected the company that handled COVID-19 case investigations and contact tracing here, officials say.
The company, Maximus Health Services Inc., notified the county earlier this month that data stolen from a breach of Progress Software Corporation’s MOVEit Transfer application in May included information on about 110,000 Tucson area residents, a news release from the county health department said.
The county had contracted Maximus from 2020 to 2022 to do COVID-19 case investigations and contact tracing. Although the contract ended on July 31, Maximus has not performed any work under the contract since the end of 2022, the news release said.
The MOVEit hack involved millions of records from its clients across the nation. The companies have assured the county that the stolen data did not include social security numbers. However, it did include personal information and some health information, the news release said.
Affected information includes names, addresses, dates of birth, telephone numbers, email addresses, IP addresses, COVID-19 test results, symptoms related to COVID-19, dates of service and responses to a survey regarding other medical conditions or risks, the news release said.
Out of the total 366,399 patient records retained by Maximus, about 30% were compromised by the MOVEit data breach, officials say.
“The Health Department is dismayed about this theft of personal data,” Dr. Theresa Cullen, the county health department director, said in the news release.
“We’re diligent about protecting patient records and we have strong data protection protocols in place for digital records and paper records. In 2020, the Health Department, like other counties throughout the country, contracted with agencies like Maximus, which has a stellar national reputation, to assist us in COVID-19 spread mitigation. Contact tracing and case investigations were essential, required additional staff to keep up with the volume and to do thorough, sometimes time-consuming investigations. We wouldn’t have been as successful as we were protecting people from COVID in Pima County without Maximus.”
The data breach has also prompted a review of the county’s contracting language when it comes to data gathering and storage and digital security protocols.
“In light of this incident, our dedication to safeguarding Pima County’s data is reinforced through both contractual obligations and robust technical measures. This breach did not affect Pima County’s internal data systems, only external systems managed by Maximus. We are continuously monitoring and enhancing security measures to ensure all data remain secure and well-protected,” Pima County’s County IT Director Javier Baca said in the news release.
Maximus began sending letters to affected patients on Wednesday that tells them steps they can take to protect their personal information. Due to the breach, Maximus is offering two years of complimentary credit monitoring, identify restoration and fraud detection services through Experian.
Out of the 110,000 people affected, Maximus and the county do not have the contact information for about 40,000 affected individuals.
Anyone who received phone calls or letters between 2020 and 2022 from the county health department about COVID-19 positive tests or exposures who doesn’t receive a notification letter from Maximus within the next week is asked to contact Experian for information on how to protect their information, the news release said.
Experian can be reached at 833-919-4749 or at 1600 Tyson’s Blvd., Suite 1400, McLean VA 22102.
The county heath department has a website, http://tucne.ws/1o3v, with information about the data breach and how to contact Experian.