The University of Utah has documented four related nationwide data breaches traced back to MOVEit Transfer, a file transfer software used by third-party contractors.

University of Utah Health Plans records were exposed through vendor TMG Health, Inc. U Advancement records were exposed through software used by TIAA Kaspick. Human Resources benefits records may have been exposed through TIAA’s third-party vendor contract. And student records managed by the University Registrar through the National Student Clearinghouse, a software system for verifying degrees and enrollment, may also have been compromised.

• On June 21, 2023, third-party vendor TMG data security personnel discovered an unauthorized external user accessed a MOVEit file transfer server and downloaded files between May 30 and June 2 that potentially contained some University of Utah Health Plans (UUHP) member information. Once TMG learned of the access, they blocked the unauthorized user from further access and notified UUHP. Approximately 3,900 patient records were accessed, with potential exposure of: mailing address, email address, phone number, date of birth, Social Security Number, medical claims information, banking information, billing information, and/or medical treatment information. On Aug. 10, UUHP mailed letters to members whose information may have been impacted. UUHP has no indication that member information has been misused, however, UUHP has advised potentially impacted members to monitor their accounts, charges, and statements for any discrepancies or services that they did not receive. Those members are encouraged to report any concerns to their local law enforcement or consumer protection agency. (Updated Aug. 11, 2023.)
• On June 29, a third-party vendor for University of Utah Advancement reported a data breach involving donor records. TIAA Kaspick alerted U advancement leaders about the security breach, which occurred at the end of May. Approximately 30 planned/legacy giving donors to the University of Utah were impacted. Personal information including their names, birthdates and Social Security numbers were exposed. No other information was compromised. All impacted donors or their representatives have been notified, and the vendor is offering free credit monitoring for two years to each of the individuals impacted. At this time, no fraudulent activity related to the breach has been reported.
• TIAA notified University Human Resources on July 7 that data—including dates of birth and Social Security numbers—for more than 13,800 current and former employees may have been exposed. Working with Human Resources, TIAA has communicated directly with employees. (Updated Aug. 31, 2023.)
• In a notice to the University Registrar Aug. 9, the National Student Clearinghouse’s representative wrote, “We did not identify any individuals associated with your organization whose Social Security number (‘SSN’), student identification number (‘Student ID’), or date of birth (‘DOB’), as provided by your organization was included in the affected files.” Other state colleges and universities and the Utah System of Higher Education also have been impacted. Read the USHE student notice here: https://ushe.edu/nsc-data-student-notice/. (Updated Aug. 31, 2023.)

This story will be updated as more information becomes available.