Original Posting: August 11, 2023
Updated: February 1, 2024
University of Utah Health Plans (UUHP) has been notified of information security incidents experienced by three vendors relating to their use of the MOVEit file transfer software. Delta Dental, TMG Health, Inc, and Virgin Pulse.
On November 13, 2023, Delta Dental, who administers supplemental dental services for UUHP Health Choice Generations members, notified UUHP they experienced a security incident relating to their use of the MOVEit file transfer software. Delta Dental discovered the incident on June 1st and immediately took steps to secure the file access software. Delta Dental’s investigation confirmed that on May 30, 2023, an unauthorized external user accessed files containing some personally identifiable information belonging to UUHP Health Choice Generations members.
UUHP members’ information that was impacted in this incident includes member names, addresses, dates of birth, and limited information relating to their insurance plan and treatment costs. Delta Dental began sending notifications to impacted plan members on December 21, 2023.
On June 21, 2023, TMG Health, Inc. (TMG) data security personnel discovered an unauthorized external user accessed a MOVEit file transfer server and downloaded files that potentially contained some UUHP Medicare Advantage member information. These downloads occurred between May 30, 2023 and June 2, 2023. Once TMG learned of the access, they blocked the unauthorized user from further access and notified UUHP. TMG notified UUHP of this incident on June 22, 2023.
Information that was potentially impacted in this incident includes UUHP Medicare Advantage members’ names and one or more of the following: mailing address, email address, phone number, date of birth, Social Security Number, medical claims information, banking information, billing information, and/or medical treatment information.
Similarly on May 31, 2023, Virgin Pulse, a vendor UUHP uses to help contact members about routine care and benefits enrollment, discovered a potential security incident relating to their use of the MOVEit file transfer software. Virgin Pulse reported to UUHP that Virgin Pulse promptly secured the file access software and initiated an investigation, which confirmed that an unauthorized external user accessed files containing some personally identifiable information from a Virgin Pulse server on May 30, 2023 belonging to UUHP HealthyU members. Virgin Pulse first notified UUHP of this incident on August 3, 2023 and provided UUHP information identifying impacted individuals on October 2, 2023.
Information that was potentially impacted in this incident includes UUHP HealthyU members’ names and one or more of the following: mailing address, email address, phone number, date of birth, and/or member ID. Social Security numbers and financial account information were not impacted in the Virgin Pulse incident.
UUHP is working closely with TMG and Virgin Pulse to ensure systems are updated to prevent these types of incidents in the future.
For the TMG incident, notification letters were mailed to the impacted individuals for whom we have a valid address on August 10, 2023. With respect to the Virgin Pulse incident, notification letters were mailed to the impacted members for whom we have a valid address on October 20, 2023. In the letters, UUHP advised potentially impacted members to monitor their accounts, charges, and statements for any discrepancies or services that they did not receive. Those members are encouraged to contact the billing entity immediately if they see suspicious charges.
If UUHP Medicare Advantage members have questions about the TMG incident, they may call 1-888-727-2311, available Monday through Friday, 7:00am – 7:00pm, MT.
If UUHP HealthyU members have any questions or would like to learn additional information about the Virgin Pulse incident, they may call 866-904-0403 available Monday through Friday from 9:00 am - 7:00 pm Eastern Time, excluding major U.S. holidays.
If UUHP Health Choice Generations members have any questions or would like to learn more information related to the Delta Dental incident, they may call 800-693-2571 Monday-Friday from 6 a.m. – 3:30 p.m. PT/ 9 a.m. – 6:30 p.m. ET