SAN ANTONIO — Laura Garza has a daughter with special needs and she gets assistance from Texas Health and Human Services. On Monday, she received a letter stating that her daughters medical information, including her name, address, date of birth, social security number and appointment information, may have been exposed in a data breach.
The letter was not, however, from the Texas Department of Health and Human Services (HHS). Instead, it was from a company named "Maximus, Inc" which does contract work for HHS.
The letter stated:
"Maximus is a contractor to the Texas Health and Human Services Commission and provides services to support certain government programs. Your minor's information was affected because this incident affected information shared with us and by us for administrative purposes.
The incident involved a critical vulnerability in MOVEit transfer, a third-party software application programed by Progress Software Corporation. Maximus is among the many organization in the United States and globally that have been impacted by the MOVEit vulnerability. "
A data breach report on the OAG website shows up to 88,498 Texans may have been affected by a Maximus, Inc security breach this year.
The letter went on to say Maximus would offer two years of credit monitoring, identity restoration, and fraud detection services through Experian. Garza said her daughter was not even 10 years old yet, and two years of credit monitoring is not nearly enough to protect her from identity theft in the future.
"In the future when she is older if she wants to apply at a bank or get a house and she applies for credit, are they going to tell her 'no' because in 2023 someone opened 20 bank accounts in her name and charged them to the max?" Garza said. "It's very stressful and very concerning."
KENS 5 reached out to Texas Health and Human Services on Friday and asked if they had any response for affected Texans, as parents trusted HHS with the data first.
A spokeswoman for HHS simply replied "HHSC has no comment."
Garza said Texas Health and Human Services owes Texans a response on the issue.
"I would like a better, more thorough, explanation of the situation and how they are handling this," Garza said.
KENS 5 also contacted Maximus, and that company provided a statement. The statement said in part:
"Once Maximus’s comprehensive investigation determined that some of Maximus’s client organizations were impacted, Maximus promptly began providing formal notification on behalf of those organizations, including the Texas Health and Human Services Commission. This investigation took time to complete given the nature of the MOVEit application. At this time, we do not have any evidence of data misuse. However, out of an abundance of caution, we are offering two years of complimentary credit monitoring, which meets or exceeds industry standards for credit monitoring."
Garza said other parents served by HHS need to be aware of the breach before it's too late.
"Now I have to worry about identity theft because this happened on their watch," Garza said.