On July 25, 2023, the Johns Hopkins University and the Johns Hopkins Health System Corporation (collectively “Johns Hopkins'') filed a notice of data breach with the Attorney General of Maine on behalf of the Kennedy Krieger Institute after learning that a software vulnerability resulted in confidential consumer information being leaked. In this notice, Johns Hopkins explains that the incident resulted in an unauthorized party being able to access consumers’ sensitive information, which includes their names and Social Security numbers. Upon completing its investigation, Johns Hopkins began sending out data breach notification letters to all individuals whose information was affected by the recent data security incident.

If you received a letter from Johns Hopkins describing a data breach affecting Kennedy Krieger Institute, it is essential you understand what is at risk and what you can do about it. Although Kennedy Krieger Institute’s IT network was not affected by the incident, the Institute provided Johns Hopkins with certain consumer data, which was transferred using MOVEit. Thus, confidential consumer information provided to the Kennedy Krieger Institute was among the data leaked in the Johns Hopkins breach. A data breach lawyer can help you learn more about how to protect yourself from becoming a victim of fraud or identity theft as well as discuss your legal options following the Johns Hopkins MOVEit data breach. For more information, please see our recent piece on the topic here.

What Caused the Data Breach Affecting Kennedy Krieger Institute?

The Johns Hopkins / Kennedy Krieger Institute data breach was only recently announced, and more information is expected in the near future. However, Johns Hopkins’s filing with the Attorney General of Maine provides some important information on what led up to the breach. According to this source, Johns Hopkins uses a secure file transfer application called MOVEit, which is a product of Progress Software. On May 31, 2023, Progress Software notified Johns Hopkins that MOVEit contained a critical vulnerability that allowed unauthorized parties to access data that was transferred through MOVEit.

In response, Johns Hopkins disconnected its MOVEit server and launched an investigation into the incident with the help of third-party data security specialists. The Johns Hopkins investigation confirmed that an unauthorized party exploited the MOVEit vulnerability and accessed the Johns Hopkins network on May 29, 2023. It was also determined that the unauthorized actor downloaded certain files containing information belonging to Johns Hopkins University, Johns Hopkins Health System Corporation, and Kennedy Krieger Institute. This included confidential consumer information.

After learning that sensitive consumer data was accessible to an unauthorized party, Johns Hopkins reviewed the compromised files to determine what information was leaked and which consumers were impacted. While the breached information varies depending on the individual, it may include your name and Social Security number.

On July 25, 2023, Johns Hopkins sent out data breach letters on behalf of the Kennedy Krieger Institute to anyone who was affected by the recent data security incident.

More Information About Kennedy Krieger Institute

Founded in 1937 and located in Baltimore, Maryland, Kennedy Krieger Institute is a non-profit organization focused on improving the lives of individuals with neurological, rehabilitative or developmental needs. Kennedy Krieger Institute operates a network of inpatient and day hospital programs, outpatient clinics, and home & community services. Kennedy Krieger Institute also provides education and conducts research and clinical trials. Kennedy Krieger Institute employs more than 2,500 people and generates approximately $315 million in annual revenue.