A data breach involving a company contracted by the Pima County Health Department, included information on 110,000 Pima County residents, according to a news release issued by PCHD.
The data stolen was collected by Maximus Health Services, Inc., a company that the county contracted to conduct COVID-19 case investigations and contact tracing from 2020 to 2022. Hackers extracted the information from Progress Software Corporation's MOVEit Transfer application. Maximus used MOVEit as part of the management of its collected data, according to the news release.
Maximus notified the county about the breach on Aug. 10.
The stolen data did not include Social Security numbers, according to the news release, but it did include:
- Names, addresses, dates of birth, telephone numbers, email addresses, and IP addresses
- COVID-19 test results, and symptoms related to COVID-19
- Dates of service
- Yes/no survey responses regarding other medical conditions or medical risks
Maximus started sending out notification letters, but neither Maximus nor the County have contact information for 40,000 of the 110,000 affected people in Pima County.
Maximus advises anyone who received phone calls or letters from the company between 2020 and 2022 who have not been contacted about the breach, to contact Experian for information on protecting their personal information, the news release said.
Because of the incident, Pima County is reviewing its contracting language when it comes to data gathering and storage.
More information about the breach can be found here.