On May 19, 2021, Maximus, an IT vendor contracted with the Ohio Department of Medicaid (ODM), became aware of a cybersecurity incident involving an application related to Medicaid providers’ credentialing and licensing data in Ohio.
Upon discovery, Maximus promptly took the impacted application offline, launched an investigation with a leading cybersecurity firm, activated response protocols, and notified law enforcement. It was determined that the impacted application was accessed by an unknown party between May 17 and May 19, 2021. This incident did not affect any other Maximus servers, applications, or customers.
This incident did not affect patient or Medicaid beneficiary information. The incident potentially impacted some personal information about healthcare professionals such as names, dates of birth, and Social Security numbers provided to ODM or to a Managed Care Plan for credentialing or tax identification purposes. There is no evidence that any of this information has been misused. In an abundance of caution, however, Maximus is offering professionals who may have been impacted by this incident 24-months of credit monitoring and other services from Experian at no cost. Healthcare professionals who received a letter regarding this incident or who have questions about credit monitoring services should contact Experian’s dedicated assistance line at (800) 357.0823, Monday-Friday, 9 a.m. – 11 p.m. EDT, and Saturday to Sunday, 11 a.m. – 8 p.m. EDT.
Please be advised that the Board of Pharmacy has since been notified by at least one hospital system of several fraudulent prescriptions issued in recent days. While these reports may be coincidental to the Maximus cybersecurity incident, providers are strongly encouraged to utilize the Ohio Automated Rx Reporting System (OARRS) MyRx Report feature to identify any potential fraudulent prescriptions issued under their U.S. Drug Enforcement Administration (DEA) registration. For more information on running a MyRx Report, a short video tutorial can be accessed. If a professional identifies a prescription that appears fraudulent, they should report this information to the DEA and local law enforcement.
Maximus customers with questions about this incident should email Maximus at questions@maximus.com, or visit the Maximus website.