Notice of Data Security Incident
Frequently Asked Questions
On May 31, 2023, GRIPA learned of the global attack on the file transfer tool called MOVEit. GRIPA immediately stopped access to MOVEit and had a forensic investigation conducted to determine what occurred and whether any data was compromised. The investigation was completed on June 5, 2023, at which point GRIPA determined that files were taken from the MOVEit server. GRIPA then worked with a vendor to review these files for any personal information. This process was completed on September 1, 2023, at which point GRIPA determined that some personal information was impacted.
When did it happen?
GRIPA identified the individuals whose personal information may have been impacted on September 1, 2023.
Who is GRIPA?
GRIPA provides care coordination and health care management solutions to your provider or health insurance plan and would have been provided with personal information to perform these services.
How did GRIPA receive/obtain my personal information?
GRIPA would have been provided a limited amount of personal information to perform contractually required services. These services may include care coordination or health care management solutions for providers or health insurance plans, or delegated credentialing services to health plans. The personal information is sent to GRIPA through MOVEit, a file transfer software platform.
What should I do to protect my personal information?
It is always a good idea to review bank or credit card statements and immediately contact the appropriate financial institution if there is any suspicious activity. Individuals can also enroll in the credit monitoring and identity protection services provided at no cost. The Federal Trade Commission’s website, www.identitytheft.gov, contains more information on protecting your identity.
What has GRIPA done to remediate this situation and ensure systems and data are protected?
GRIPA stopped access to the MOVEit service, securely restored their servers from backups, and applied the fix provided by the MOVEit software provider, Progress.
Has the information been misused?
No, GRIPA has no evidence that any personal information has been misused.
What part of my health information was impacted?
We can assure you that medical records were not impacted by this incident. The information impacted is very limited in nature, and is described in more detail in the letter you received. For instance, for some people, the name of their doctor, date of last visit, and perhaps prescription information was all that was affected.