Baltimore County Residents' Data Potentially Exposed By Russian-Led Cyberattack


A cyberattack on the MOVEit file transfer platform, led by a Russian extortion gang, opened access to millions of private records. (Credit: Shutterstock)

BALTIMORE COUNTY - The Baltimore County Government announced last week that it was among the thousands of victims of the "MOVEit" file transfer software security breach.

PBI Research Services (PBI) notified the county on June 14 that Baltimore County residents' first and last names, dates of birth, addresses, and Social Security may have been leaked due to the breach.

A cyberattack on the MOVEit file transfer platform, led by a Russian extortion gang, opened access to millions of records from various organizations that employ the service. The breach was attributed to a technical vulnerability within the platform, allowing the hackers to access private information from May 29-30, 2023.

Following the detection of the breach, Progress Software made its customers aware of the situation on May 31 and released a security patch. Despite their efforts, cybersecurity analysts indicate that external parties had already illicitly accessed significant amounts of sensitive data.

According to the Baltimore County Government, an extensive internal investigation by PBI has yet to reveal any direct misuse of residents' private information.

The county clarified that PBI will directly notify any individuals affected by the breach and is launching a dedicated call center to address queries and offer credit monitoring for those impacted by the breach. Details regarding the credit monitoring services and instructions to contact the call center will be enclosed within the PBI notification letters sent to potentially affected individuals.

Johns Hopkins Medicine, another notable victim of this breach, is facing a class action lawsuit for allegedly failing to notify victims of the breach.

A complaint lodged by Pamela Hunter, a Baltimore County resident and victim of the data breach, alleges that those affected only learned about the breach and the university's possession of their data through a letter received on June 24.

Hunter is seeking damages from the university for the trauma inflicted by having one's sensitive health information stolen and potential future harm due to the exposed data, including Social Security numbers and healthcare information.

"Plaintiff and the Class Members remain, even today, in the dark regarding what data was stolen, the particular malware used, and what steps are being taken to secure their PHI/PII and financial information going forward," the complaint states.

In response to the breach, Johns Hopkins launched an investigation and has begun reinforcing data security measures. To comply with the Health Insurance Portability and Accountability Act (HIPPA), the university must provide details about the compromised data, suggestions for victims to safeguard their information, an outline of the investigation and preventative steps, and a contact for further queries within 60 days of discovering a data breach.

Hopkins has created a dedicated website to provide this information to victims and answer questions related to the data breach.

More News from Perry Hall
I'm interested
I disagree with this
This is unverified