In October 2023, NASCO filed a notice of data breach with the Attorney General of Massachusetts after discovering that a vulnerability within MOVEit, a secure file-transfer application used by the company, resulted in an unauthorized party being able to access certain information in the company’s possession. In this notice, NASCO explains that the incident resulted in an unauthorized party being able to access consumers’ sensitive information. Upon completing its investigation, NASCO began sending out data breach notification letters to all individuals whose information was affected by the recent data security incident.
If you receive a data breach notification from NASCO, it is essential you understand what is at risk and what you can do about it. A data breach lawyer can help you learn more about how to protect yourself from becoming a victim of fraud or identity theft, as well as discuss your legal options following the NASCO / MOVEit data breach. For more information, please see our recent piece on the topic here.
What Caused the Data Breach Affecting NASCO?
The MOVEit / NASCO data breach was only recently announced, and more information is expected in the near future. However, NASCO’s filing with the Attorney General of Massachusetts provides some important information on what led up to the breach. According to this source, NASCO uses a third-party file-transfer software called MOVEit, which was created by another company named Progress Software. On May 31, 2023, Progress Software announced that MOVEit contained a critical vulnerability. However, it was not until July 12, 2023, that NASCO learned information stored on its MOVEit server may have been impacted.
In response to learning about the vulnerability, NASCO secured its systems, which included decommissioning its MOVEit server. NASCO also launched an investigation into the incident to learn more about what, if any, consumer information was leaked.
The NASCO investigation confirmed that an unauthorized party was able to access NASCO’s MOVEit server on May 30, 2023, which contained confidential information belonging to certain health plan members. The incident did not involve a breach of NASCO’s systems, and only information stored within the company’s MOVEit server was subject to unauthorized access.
After learning that sensitive consumer data was accessible to an unauthorized party, NASCO reviewed the compromised files to determine what information was leaked and which consumers were impacted.
In October 2023, NASCO sent out data breach letters to anyone who was affected by the recent data security incident. These letters should provide victims with a list of what information belonging to them was compromised.
More Information About NASCO
NASCO is a healthcare software company based out of Atlanta, Georgia. NASCO specifically works with Blue Cross Blue Shield to create digital health solutions related to enrollment, membership, billing & rating; servicing & advocacy; claims adjustment & benefits management; and professional services. More than 20 million BCBS members have been served using NASCO products. NASCO employs more than 620 people and generates approximately $130 million in annual revenue.