June 25, 2021
As previously announced, the University of Maryland, Baltimore (UMB) was affected by the recent Accellion, Inc. file transfer appliance (FTA) data security incident. Accellion FTA software is used by numerous universities, government agencies and public and private companies around the world. UMB is continuing its efforts to notify anyone whose personal information may have been involved in the Accellion incident, as required by law.
Accellion is an information technology vendor that supplied UMB’s FTA. The FTA was utilized to allow for the transfer and receipt of sensitive data through a secure protocol. According to Accellion, its FTA software was targeted by a threat actor group(s), beginning in mid-December 2020. UMB stopped using the Accellion FTA and switched to a different secure file transfer platform in February 2021.
Although UMB had been told previously by Accellion that Accellion had investigated and had not found any signs that downloads had occurred, on March 29, 2021, UMB was informed that certain data files in its Accellion FTA had been posted on a cyber criminal’s website. UMB reported the incident to the FBI and is working with federal law enforcement officials. Outside forensic experts are also working diligently to investigate and determine the full scope of the incident. There is no evidence that any UMB information technology systems other than the FTA were impacted. On March 31, 2021, UMB began mailing letters to known impacted individuals. After initial investigation, on April 22, 2021, UMB began to engage with state officials regarding impacted agency records. Impacted files relate to certain social service, health, public health and research activities conducted by UMB on behalf of several data owners including:
Department of Juvenile Services (DJS): Various participants of Functional Family Therapy.
Maryland Department of Health (MDH): Various participants in the MDH Maryland Medicaid Program.
Maryland Department of Human Services (DHS):
Social Services Administration (SSA) - Various participants in Evidence Based Practices involving child and family therapy and substance abuse treatment programs.
Child Support Administration (CSA) - Various individuals who receive services through the Child Support Administration.
Family Investment Administration (FIA) - Various participants in the Family Investment Administration's (FIA) benefit programs of DHS.
Notification letters are being sent as potentially affected individuals are identified. The information affected varies widely by individual and in some cases included names, addresses, date of birth, demographic and/or health related information and other information associated with participation in a certain program, review or study. For some individuals, the personal information involved included a Social Security number, and these individuals are being provided complimentary credit monitoring and identity theft protection services as required by law.
It is recommended that all individuals generally, and as affected by this incident, closely monitor financial account statements and credit reports and report any discrepancies to law enforcement. Additional guidance that consumers can take to protect themselves can be found at: https://www.consumer.ftc.gov/features/feature-0014-identity-theft.
UMB has established a toll-free call center dedicated to answering questions about this incident. This call center is available beginning June 29, 2021, at 855-867-0875, Monday – Friday, 9:00 AM to 9:00 PM EST (excluding holidays). Individuals who participated in the programs above who have not received a notice letter within approximately 3 weeks may wish to call to confirm whether they were affected.
UMB takes seriously the security and privacy of personal information entrusted to us, and deeply regrets that this incident occurred and any concern this may cause.
Updates to this notice will be posted at https://www.umaryland.edu/accellion.