Southwestern Vermont Medical Center reports MOVEit related data breach, 19k patients exposed

The Southwestern Vermont Medical Center (SVMC) is in the process of alerting approximately 19,000 individuals about a cybersecurity breach that potentially exposed personal data. This incident traces back to a vulnerability in the MOVEit Transfer software, reported in late May. The MOVEit platform was a widely used for secure file transfer by numerous organizations globally.

SVMC became a victim of this breach through its subcontractor CBIZ KA Consulting Services, a firm contracted by SVMC for the analysis of medical service claims as well as billing and payment procedures. CBIZ, in turn, relied on MOVEit Transfer services provided by Progress Software for its data management tasks.

The exposure was discovered when unauthorized downloads of files were detected during the period between late May and early June.

The compromised data included patients:

• names,
• addresses,
• dates of birth,
• service dates,
• physicians' names,
• health insurance details,
• medical treatment details,
• costs associated with medical treatments.

SVMC emphasized the importance of patients reviewing their medical bills closely for any signs of suspicious claims that could indicate their information was used fraudulently. CBIZ has taken responsibility for informing SVMC's patients about the breach, detailing the nature of the incident in the notification letters.