Data Breach Notifications

Entity Information

  • Type of Organization: Other Commercial
  • Entity Name: Milliman, Inc.
  • Street Address: 1301 5th Avenue, Suite 3800
  • City: Seattle
  • State, or Country if outside the US: WA
  • Zip Code: 98101

Submitted By

  • Name: Dan Greene
  • Title: Partner
  • Firm name (if different than entity): Octillo Law PLLC
  • Telephone Number: 7168982102
  • Email Address: dgreene@octillolaw.com
  • Relationship to entity whose information was compromised: Outside Counsel

Breach Information

  • Total number of persons affected (including residents): 44415
  • Total number of Maine residents affected: 160
  • If the number of Maine residents exceeds 1,000, have the consumer reporting agencies been notified: Yes
  • Date(s) Breach Occured: 05/29/2023 - 05/30/2023
  • Date Breach Discovered: 07/21/2023
  • Description of the Breach:
    • External system breach (hacking)
    • If other, please specify: Milliman provides administrative services to employee benefit and pension plan sponsors. As part of those services, Milliman utilizes a third-party vendor, Pension Benefit Information, LLC (“PBI”), to conduct research on whether plan members and beneficiaries have passed away. For that purpose, Milliman transferred data regarding its clients’ consumers to PBI utilizing a secure and encrypted file transfer protocol. PBI recently notified Milliman that PBI experienced a data security incident affecting the data of Milliman’s clients. Specifically, PBI disclosed that it utilized the “MOVEit Transfer” software provided by Progress Software Corporation (“Progress Software”) for PBI’s secure file transfer protocol (“SFTP”) servers. PBI also indicated that it stored Milliman clients’ data on PBI’s SFTP servers utilizing the MOVEit Transfer software. According to information provided to Milliman by PBI, on or around May 31, 2023, Progress Software disclosed for the first time that its MOVEit Transfer software contained a previously unknown, “zero-day” vulnerability that could be exploited by an unauthorized actor (CVE-2023-34362). PBI also disclosed that it launched an investigation into the nature and scope of the MOVEit vulnerability’s impact to PBI’s systems. According to PBI, its investigation determined that an unauthorized third party accessed one of PBI’s MOVEit Transfer servers on May 29, 2023, and May 30, 2023, and downloaded data. PBI explained it then conducted a manual review of its data to confirm the identities of individuals potentially affected by this event. PBI completed that review on July 21, 2023, and confirmed to Milliman at that time that the personal information of certain consumers of Milliman’s clients were affected and Milliman, following reconciliation of the data, was able to recently inform its clients of the scope of individuals whose information may have been affected.
  • Information Acquired - Name or other personal identifier in combination with: Social Security Number

Notification and Protection Services

  • Type of Notification: Written
  • Date(s) of consumer notification: 08/14/2023
  • Copy of notice to affected Maine residents: Sample Notice Letter.pdf23.08.14 ME AG Notification Letter.pdf
  • Date of any previous (within 12 months) breach notifications:
  • Were identity theft protection services offered: Yes
  • If yes, please provide the duration, the provider of the service and a brief description of the service: 24 months of identity monitoring and credit monitoring provided by Kroll