MOVEit Data Breach: Know What to do if Your Personal Information Has Been Exposed

Several insurance companies operating in Maryland have notified the Insurance Administration that the personal information of some Maryland consumers was exposed during data breaches of certain MOVEit cloud-hosting and file transfer services.

The information exposed may include Social Security numbers, birthdates, and other sensitive identifying information. As of this date, the Administration has only received notices from insurers that issue life, annuity, and long-term care products.

This MOVEit data breach event is widespread and not limited to the insurance industry. The MOVEit attack was allegedly undertaken by a criminal hacking group known as Clop and appears to have resulted in the theft of data from many organizations in the US and Europe. If your personal information is posted online or sold to criminals, someone might use it to “steal” your identity. That includes taking out credit in your name using your identifying information and potentially impacting your credit history.

If personal information about you is exposed as a result of certain cybersecurity events (such as the MOVEit attack), Maryland law requires your insurance company to notify the Maryland Insurance Administration of the event and to send you a notice of the exposure. If you receive such a notice, it is very important that you read and act on the notice quickly. The notices will describe what has occurred, the potential impact on you, and the actions being taken by the company to try to limit harm. If you have any questions about the notice, contact the company immediately.

What should you do now?

  • If you are not sure if a letter or email was sent by your insurance company, call a trusted phone number to check. A trust phone number is a number that you are sure belongs to the insurance company – this could be a customer service number for the insurance company listed on your policy, an old invoice, or your insurance card, or the number for your insurance agent. If in doubt – call the Maryland Insurance Administration. We will help you.
  • If you don’t receive a notice but are concerned, you can call your insurance company’s customer service number.
  • If you receive a notice, read it right away and read it carefully. The company will probably offer free credit monitoring for a time. Credit monitoring means that your credit report is being checked to see if someone opens a new account in your name or with your social security number.
  • Be careful if you get a call from someone claiming to be from your insurance company. It is very unlikely that your insurance company will reach out to you by phone. Notices come in the same way you get your invoices or other policy information – by mail and, if you have elected it, by e-mail. If you get a call, you can hang up and call the company back using a trusted phone number that you already know belongs to the company.
  • Be careful of any offers, phone calls, or emails you receive from other sources offering to help. Do not trust an offer that says it is from your insurance company, but asks you to pay them money or asks you for information that your insurance company should already have. That is a red flag! Hang up and call them back at a trusted phone number that you already know belongs to the company.

When you call your insurance company or you take action to enroll in free credit monitoring, you might have to give some additional information so that they know it is you calling. It is safe to do this if you are the one making the call using a number that you know is a real number. When in doubt – call your agent, call the customer service number on your insurance card or policy, or call the Maryland Insurance Administration.

If you have any questions about what to do, including questions about the data breach, and how it might affect your information with your insurance company, contact the Maryland Insurance Administration at 1-800-492-6116, ext. 2244 (toll-free) or 410-468-2244. We are here to help you.