{
	"id": "11dd1266-1029-4b16-913b-12205f3bcb09",
	"created_at": "2026-04-06T00:14:46.458518Z",
	"updated_at": "2026-04-10T13:11:19.78945Z",
	"deleted_at": null,
	"sha1_hash": "ed4a4f8791b936ef7ab400d2ebdda4190b1af6b7",
	"title": "Medical files of 8M-plus people fall into hands of Clop via MOVEit mega-bug",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 52180,
	"plain_text": "Medical files of 8M-plus people fall into hands of Clop via MOVEit\r\nmega-bug\r\nBy Jessica Lyons\r\nPublished: 2023-07-27 · Archived: 2026-04-05 23:40:28 UTC\r\nAccounting giant Deloitte, pizza and birthday party chain Chuck E. Cheese, government contractor Maximus, and\r\nthe Hallmark Channel are among the latest victims that the Russian ransomware crew Clop claims to have\r\ncompromised via the MOVEit vulnerability.\r\nDeloitte confirmed an intrusion but declined to answer The Register's questions about how much and what type of\r\ndata was accessed in the incident. The biz now joins PwC and Ernst and Young – all three big accounting firms –\r\namong the hundreds of organizations compromised by Clop via a security hole in vulnerable deployments of the\r\nfile-transfer tool MOVEit.\r\n\"Immediately upon becoming aware of this zero-day vulnerability, Deloitte applied the vendor's security updates\r\nand performed mitigating actions in accordance with the vendor's guidance,\" a Deloitte Global spokesperson\r\nexplained.\r\n\"Our analysis determined that our global network use of the vulnerable MOVEit Transfer software is limited.\r\nHaving conducted our analysis, we have seen no evidence of impact to client data.\"\r\n8m-11m patients' healthcare data accessed\r\nMeanwhile, in a US Securities and Exchange Commission filing on Wednesday, Maximus, which does the admin\r\nfor US government programs like Medicaid and Medicare, disclosed that the personal information of as many as\r\n11 million individuals' was \"accessed\" by Clop. \r\n\"Based on the review of impacted files to date, the company believes those files contain personal information,\r\nincluding social security numbers, protected health information and/or other personal information, of at least 8 to\r\n11 million individuals to whom the company anticipates providing notice of the incident,\" Maximus's 8-K filing to\r\nthe SEC stated.\r\nIn a statement provided to The Register, a spokesperson said Maximus responded \"quickly\" to mitigate the\r\nMOVEit vulnerability, and is continuing investigating the incident. The company will record an expense of up to\r\n$15 million to cover the cost of cleaning up.\r\n\"To be clear, we have not identified any impact from the MOVEit vulnerability on other parts of our corporate\r\nnetwork and remain confident in the integrity of the network,\" the Maximus spokesperson said.\r\n\"We have been working with the subset of our customers who were using MOVEit as part of their workflows and\r\ncontinue to provide updates and support to them as our investigation proceeds. We continue to closely monitor our\r\nsystems for any unusual activity.\"\r\nhttps://www.theregister.com/2023/07/27/maximus_deloitte_moveit_hack/\r\nPage 1 of 3\n\nNeither Chuck E. Cheese nor the Hallmark Channel immediately responded to The Register's inquiries after Clop\r\nlisted both on its leak site.\r\n514 compromised organizations and counting\r\nThe new additions to the victims' list bring the headcount to 514 organizations and more than 36 million\r\nindividuals, according to Emsisoft threat researchers.\r\nThe team has been scouring state breach notifications, SEC filings, other public disclosures, and Clop's website to\r\nupdate their list of affected orgs and people at least every 24 hours since the fiasco started.\r\n\"How many organizations and individuals have been impacted by this incident remains to be seen,\" Emsisoft\r\nThreat Analyst Brett Callow told The Register. \"Given the complexity of the upstream/downstream, it's highly\r\nlikely that some of the organizations which have been impacted don't yet realize they've been impacted.\"\r\n\"It will likely take months if not years for the full impact and costs to become clear as the legal proceedings will\r\nnot play out quickly,\" he added.\r\nProgress Software, which makes the MOVEit file transfer suite, is facing multiple class-action lawsuits stemming\r\nfrom the vulnerability. So are some of Progress Software's customers, including Johns Hopkins University and\r\nJohns Hopkins Health System. \r\nThe latter two lawsuits allege that the university and health-care provider failed to properly secure patients'\r\nprotected health information that was accessed in the breach. \r\nMOVEit body count closes in on 400 orgs, 20M+ individuals\r\nUS government hit by Russia's Clop in MOVEit mass attack\r\nCrooks pwned your servers? You've got four days to tell us, SEC tells public companies\r\nIvanti plugs critical bug – but not before it was used against Norwegian government\r\nAlso interesting are the organizations that were listed, and then removed, from Clop's leak site. This potentially\r\nindicates the ransomware gang was bluffing, or the companies decided to negotiate with the extortionists and pay\r\nup, or the crew gave the businesses a break.\r\nAccording to Callow, recently delisted firms include the aforementioned Maximus, TD Ameritrade, Global\r\nUniversity Systems (GUS) Canada, Greenshield, National Student Clearinghouse, and security biz Telos\r\nCorporation.\r\nProgress Software initially disclosed the first MOVEit bug, a SQL injection vulnerability tracked as CVE-2023-\r\n34362, on May 31 and patched it the next day.\r\nSince then, bug hunters have spotted other vulnerabilities and reported them to Progress, bringing the total number\r\nto six as of July 5. All of these have since been fixed, and Progress has said none of the vulnerabilities discovered\r\nafter the first bug on May 31 have been exploited. ®\r\nhttps://www.theregister.com/2023/07/27/maximus_deloitte_moveit_hack/\r\nPage 2 of 3\n\nSource: https://www.theregister.com/2023/07/27/maximus_deloitte_moveit_hack/\r\nhttps://www.theregister.com/2023/07/27/maximus_deloitte_moveit_hack/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.theregister.com/2023/07/27/maximus_deloitte_moveit_hack/"
	],
	"report_names": [
		"maximus_deloitte_moveit_hack"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434486,
	"ts_updated_at": 1775826679,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ed4a4f8791b936ef7ab400d2ebdda4190b1af6b7.pdf",
		"text": "https://archive.orkl.eu/ed4a4f8791b936ef7ab400d2ebdda4190b1af6b7.txt",
		"img": "https://archive.orkl.eu/ed4a4f8791b936ef7ab400d2ebdda4190b1af6b7.jpg"
	}
}