By now affected members of the MIT community should have started receiving notices from NASCO about the Blue Cross Blue Shield insurance data breach which exposed sensitive and personal client data.

The exploit involves a reported vulnerability in the MOVEit file copying software which NASCO used to move files with sensitive Blue Cross Blue Shield data to and within its systems.

https://cybernews.com/news/nasco-moveit-data-breach/#:~:text=Threat%20actors%20were%20able%20to,longer%20accessible%20from%20the%20internet.%E2%80%9D

To date, the scope of the MOVEit vulernability attack has exposed sensitive data of users from over 600 corporations, educational institutions, and government agencies.

https://www.blackfog.com/what-we-know-about-the-moveit-exploit/

Though the breach at NASCO involving this software happened in May 2023, NASCO finally reported the breach on October 25th, 2023 after it was able to assess the full scope of the attack.

https://www.nasco.com/datasecurity/

A Class Action lawsuit filed in response to the breach claims 804k people within the Blue Cross Blue Shield of Massachusetts network were affected by the Data Breach. This includes some members of the MIT community.

https://www.classaction.org/news/2023-blue-cross-blue-shield-of-massachusetts-data-breach-lawsuit-says-804k-people-affected-by-moveit-hack

The City of Canton, MA has posted a more detailed FAQ of this breach and the types of data exposed. It is important to note that it is uncertain for each individual user which pieces of personal and sensitive data were exposed. It is known that some social security numbers as well as addresses were exposed for some Medicare Advantage users, but given the quantity of data involved there is currently no way to know for sure which pieces of data were exposed for any specific group of customers or any individual customer.

https://www.town.canton.ma.us/DocumentCenter/View/10948/FAQ---NASCO-Data-Security-Incident?bidId=

NASCO recently sent letters to many of its affected clients with an activation code for an Experian credit monitoring service.

If you are concerned about your identity, best practices recommend you take advantage of the Experian credit monitoring service. The service will also report whether it finds your private information for sale on the internet, and notify you of any suspicious activity in your credit. If the service notifies you of compromised passwords or identities, you should take immediate steps to mitigate by changing those passwords and the password of any account that uses that exact same password.

Please let us know if anyone has any questions or concerns.