Baylor College of Medicine reports MOVEit related data breach

A data security breach has been reported by a vendor utilized by Baylor College of Medicine for its employee wellness portal. The college was officially informed of this potential breach on June 5, though it is crucial to note that no patient information was compromised during this incident.

The breach is linked to a third-party file transfer program MOVEit, which is used by Baylor College of Medicine and managed by the supplier Vitality Group LLC. On May 30, Vitality Group LLC identified a security vulnerability within MOVEit, raising concerns about potential unauthorized access.

Upon the discovery of this security vulnerability, Vitality Group LLC's internal security team took action to eliminate the known risk of exploitation. However, before the vulnerability could be fully addressed, an unauthorized third party did manage to gain access to the server used for the MOVEit program, where certain files from Vitality Group were stored.

Nonetheless, for a specific subset of individuals, the potentially exposed information could have encompassed the following:

• full names,
• employee IDs,
• employers,
• dates of birth,
• Social Security numbers,
• Protected Health Information (PHI).

This PHI specifically included biometric screening data and laboratory results.

No details are available about the number of impacted individuals.

Vitality Group has found no concrete evidence that its systems were directly impacted by this incident, nor are they currently at risk. This is due to the limited personal and health information shared with Vitality Group as part of Baylor College of Medicine's employee wellness program. Most participants in the BCM Vitality program had minimal exposure of their personal information.

In a bid to provide additional support to those affected, Vitality Group partnered with Experian to offer two years of credit monitoring for individuals whose Social Security numbers and health information may have been exposed.