Data Security Incidents Impact University of Utah Health Plans Members

University of Utah Health Plans (UUHP) has reported data security incidents related to the utilization of MOVEit file transfer software by two vendors. These separate incidents, though independent, highlight the pressing need to secure sensitive data in an increasingly digitized world.

Did You Receive UUHP Notice Letter?

University of Utah Health Plans
Did you receive notice from University of Utah Health Plans that your information was breached?
Do you still have a copy of the notice letter?

TMG Health, Inc. Incident

On June 21, 2023, TMG Health, Inc. (TMG) identified an unauthorized external user who had gained access to a MOVEit file transfer server. This individual proceeded to download files that may have contained information of UUHP Medicare Advantage members. Unauthorized access took place between May 30, 2023, and June 2, 2023. TMG responded promptly by blocking the unauthorized user and informing UUHP, who received notification of the incident on June 22, 2023.

The potentially affected data comprised UUHP Medicare Advantage members’ names, along with one or more of the following: mailing address, email address, phone number, date of birth, Social Security Number, medical claims information, banking information, billing information, and medical treatment data.

Virgin Pulse Incident

Similarly, on May 31, 2023, Virgin Pulse, a vendor assisting UUHP in member communication for routine care and benefits enrollment, reported a potential security incident relating to their use of MOVEit file transfer software. Virgin Pulse secured the file access software and initiated an investigation, which confirmed unauthorized access to files containing personally identifiable information from a Virgin Pulse server on May 30, 2023, related to UUHP HealthyU members. Virgin Pulse first notified UUHP of this incident on August 3, 2023, and provided information identifying impacted individuals on October 2, 2023.

The potentially impacted data in this incident included UUHP HealthyU members’ names, along with one or more of the following: mailing address, email address, phone number, date of birth, and member ID. Importantly, Social Security numbers and financial account information were not compromised in the Virgin Pulse incident.

Response and Remediation

In response to the TMG incident, notification letters were dispatched to impacted individuals with valid addresses on August 10, 2023. For the Virgin Pulse incident, notification letters were sent to affected members with valid addresses on October 20, 2023. In these letters, potentially affected individuals were advised to monitor their accounts, charges, and statements for any discrepancies or services they did not receive. They were encouraged to promptly contact the billing entity if they detected suspicious charges.

In a proactive effort to protect members from potential adverse consequences, UUHP is offering one year of complimentary personal identity and privacy protection monitoring to individuals whose Social Security Numbers may have been compromised.

These incidents serve as a reminder of the cybersecurity threats in today’s digital age and reinforce the need for robust security measures to safeguard sensitive patient data. Efforts are ongoing to ensure transparency, diligence, and the protection of member information in response to these incidents.