DOJ ‘not aware of any’ identity theft, fraud following consultant’s data breach

A data breach that exposed Medicare information — including social security numbers — provided to consulting firm Greylock McKinnon Associates by the Justice Department doesn’t appear to have resulted in identity theft or fraud yet, according to a statement from the agency.

“While the Justice Department is not aware of any specific reports of identity theft or other fraud resulting from this incident, the Department has ensured that those impacted have been offered fraud resolution services and credit monitoring,” Wyn Hornbuckle, a DOJ spokesperson, said in an email to FedScoop. “The investigation of this matter is ongoing.”

The response from the DOJ follows a public disclosure of the Boston-based consulting firm’s  breach last week on the Office of the Maine Attorney General’s website. According to that disclosure, first reported by TechCrunch, Greylock McKinnon Associates experienced a cyberattack in May 2023 that likely compromised Medicare information of 341,650 people, including their social security numbers. 

That information was obtained by the Justice Department “as part of a civil litigation matter” and given to the firm, which provides litigation support, in its “provision of services to the DOJ in support of that matter,” according to a letter GMA sent to people affected by the incident.

In that letter, GMA said it “detected unusual activity on our internal network” last May and “promptly took steps to mitigate the incident.” The firm said it worked with a third-party cybersecurity specialist in its response, notified DOJ and law enforcement, and in February, received confirmation of who was affected and their contact information. 

Hornbuckle said the firm notified the DOJ of the breach in May, “after which the Department required that Greylock identify those affected and immediately began its own process to address the breach.”

GMA could not be reached for comment.