Medicare data exposed in data breach at Boston consulting firm

In a recent cybersecurity incident, a Boston-based consulting firm that provides litigation support services to the U.S. Department of Justice (DOJ) fell victim to a data breach. The attack, conducted by a ransomware organization, compromised the personal and medical information of nearly 342,000 individuals.

What happened

The consulting firm Greylock McKinnon Associates (GMA) breach occurred on September 28th, 2023. The attackers used a double-extortion tactic, where they first exfiltrated the data and then encrypted several company systems. GMA discovered the unusual activity on their internal network on May 30, 2023, but only confirmed the affected individuals and obtained their contact addresses on February 7, 2024, for notification purposes.

The compromised information includes individuals' personal and Medicare data and some medical and health insurance information. The data accessed by the attackers was obtained from the DOJ as part of a civil litigation matter and the services GMA provided in support of that work.

Going deeper

Upon discovering the breach, GMA immediately mitigated the impact and protected affected individuals. The company has been in frequent communication with its impacted customers to support their response efforts. GMA began notifying the affected clients on December 12th and is offering them 24 months of identity and credit monitoring services.

In their notices to the affected patients, GMA assured them that there is no evidence of misuse of their information and that the breach does not impact their current Medicare benefits or coverage. The company emphasized its commitment to cybersecurity and pledged to strengthen its investments in preventing future incidents.

What was said

Tom Kellermann, senior vice president of cyber strategy at Contrast Security, said the incident highlighted that threat actors were adept at stealing personally identifiable information (PII) not just from its original source, but wherever it was easiest to access.

“Security through obscurity no longer exists. Frequently, firms who provide consulting services to government agencies are being targeted as the weak link in the chain,” he said.

“This island-hopping attack should be concerning not only to the victims whose PII was stolen but to the DOJ who should reevaluate the cybersecurity of this vendor.”