A data breach using a "critical vulnerability" in file-transfer software used by a national contractor doing work for Pima County exposed the health and personal data of about 110,000 residents, county officials said Wednesday.

Maximus Health Services was hired by Pima County from 2020 to 2022 to help officials manage COVID-19 case investigations and contract tracing. As part of their services, the company used MOVEit Transfer, a third-party software application regularly used by organizations to move large amounts of data, including sensitive information such as medical records, billing data, and Social Security numbers.

In May, hackers managed to break into MOVEIt Transfer and gain access to tens of millions of records from clients across the nation, including information from Maximus and other government contractors and agencies in other states.

The two companies said the stolen data did not include Social Security numbers, however, the breach did include personally identifying information and some health information, mostly about positive COVID-19 tests, county officials said.

Maximus Health Services was paid nearly $22 million during the three-year contract with the county, funded by federal dollars aimed at mitigating the spread of COVID-19. While the contract with Maximus ended July 31, the company "has not performed any work under the contract since the end of 2022," county officials said.

Since the pandemic began, there have been at least 298,161 COVID-19 cases in Pima County, and 4,057 people have died from the disease since it first arrived in the county in March 2020, according to Pima County data.

As the county sought to mitigate the spread of coronavirus, it hired Maximus to contact people who were COVID-19 positive, informing them of "then-current protection protocols and treatment options to protect their family, friends, and members of the community from COVID-19, and reduce the spread of the disease," county officials said. The company reached out to 214,440 about their COVID-19 infection, and contacted another 151,999 people likely exposed to the virus.

Altogether, Maximus had over 366,000 records on area residents, however, only 110,538 or about 30 percent of the records were compromised by the intrusion, county officials said.

County officials said hackers may have gained access to personal information, including names and birthdates, as well as COVID-19 test results, and if they responded to a COVID-19 survey or questionnaire, including medical condition or medical risk.

On Wednesday, Maximus will begin sending letters to county residents exposed by the breach, telling them about steps they can take to protect their personal information, including free credit monitoring from Experian, a credit reporting agency, county officials said.

County officials said the data did not include home addresses or working email addresses for about 40,000 affected by the breach limiting the number of people Maximus can reach via letter. The company recommended those who do not receive a letter from Maximus, but were contacted by the Health Department from 2020 through 2022 for a COVID-19 positive test or exposure, should contact Experian for information about how to protect their personal information.

The county has a web page — www.pima.gov/Maximus — with information about the data theft incident, and information about contacting Experian for credit monitoring. Maximus said they are offering "two years of complimentary credit monitoring, identity restoration, and fraud detection services" through Experian.

"The Health Department is dismayed about this theft of personal data,” said Dr. Theresa Cullen, director of the Pima County Health Department. "We’re diligent about protecting patient records and we have strong data protection protocols in place for digital records and paper records."

"In 2020, the Health Department, like other counties throughout the country, contracted with agencies like Maximus, which has a stellar national reputation, to assist us in COVID-19 spread mitigation. Contact tracing and case investigations were essential, required additional staff to keep up with the volume and to do thorough, sometimes time-consuming investigations. We wouldn’t have been as successful as we were protecting people from COVID in Pima County without Maximus," Cullen said.

The breach exposed data for more than 1,000 organizations worldwide, affecting as many as 60 million people, according to the data analysis firm Emisoft.

This includes data for as many as 612,000 Medicare recipients, according to the Centers for Medicare and Medicaid Services. The intrusion also hit the Louisiana Office of Motor Vehicles and the Colorado Department of Health Care Policy and Financing, Emisoft said.

Maximus said on May 30, they detected "unusual activity" on MOVEit, and they investigated the issue with "the help of nationally recognized cybersecurity experts." The next day, the company took MOVEit offline, the company announced in a press release.

That same day, the Massachusetts-based company Progress Software announced a vulnerability in their software allowing an unauthorized party used to gain access to files of many MOVEit customers. The company released a patch, allowing organizations to protect their data, however in many cases the damage was done.

Maximus officials said they applied the patches from Progress Software to plug the vulnerability in MOVEit.

On June 12, the company informed officials a breach had occurred, and hired a forensic investigation firm and a data analysis firm to track which records and types of information might have been accessed. The company said from around May 27 through May 31, someone accessed copies of some files save on MOVEit. "After learning about the files, Maximus began to analyze the files to determine which data was affected," the company said.

On August 10, Maximus notified officials files containing some personal information of Pima County residents were accessed. "Maximus takes the privacy and security of personal information very seriously and regrets that this incident occurred," the company said.

County officials said the incident "prompted a review" of the county’s contracting language when it comes to data gathering and storage by companies hired by the county, as well as the county’s own digital security protocols.

"In light of this incident, our dedication to safeguarding Pima County's data is reinforced through both contractual obligations and robust technical measures. This breach did not affect Pima County's internal data systems, only external systems managed by Maximus. We are continuously monitoring and enhancing security measures to ensure all data remain secure and well-protected," said Javier Baca, the director of Pima County information technology.

"Pima County requires contracts we enter into that enable a contractor to utilize county-provided data in the performance of its services, including the Maximus contract, have provisions for data protection, storage, and destruction at the end of the contract and restricted use of personal identifying information according to state and federal law," Baca said.

The company said county residents should regularly monitor account statements and monitor free credit reports.

Those affected by the breach should call Experian at 1-833-919-4749 toll‐free, and Maximus said when people receive a mailed notification they should use an engagement number provided in the letter to access Experian's services.