Home > Consumer Information > Privacy, Identity Theft and Data Security Breaches > Data Breach Notifications
Data Breach Notifications
Entity Information
- Type of Organization: Other Commercial
- Entity Name: Milliman Solutions LLC
- Street Address: 1301 5th Avenue, Suite 3800
- City: Seattle
- State, or Country if outside the US: Washington
- Zip Code: 98101
Submitted By
- Name: Daniel Greene
- Title: Partner
- Firm name (if different than entity): Octillo Law PLLC
- Telephone Number: 716 898 2102
- Email Address: dgreene@octillolaw.com
- Relationship to entity whose information was compromised: Outside Counsel
Breach Information
- Total number of persons affected (including residents): 1280823
- Total number of Maine residents affected: 4206
- If the number of Maine residents exceeds 1,000, have the consumer reporting agencies been notified: Yes
- Date(s) Breach Occured: 05/29/2023 to 05/30/2023
- Date Breach Discovered: 06/16/2023
- Description of the Breach:
- Other, External system breach (hacking)
- If other, please specify: Milliman Solutions provides risk assessment services to clients including life insurance companies. As part of those services, Milliman Solutions utilizes a third-party vendor, Pension Benefit Information, LLC (“PBI”), to conduct research on whether consumers have passed away. For that purpose, Milliman Solutions transferred data regarding its clients’ consumers to PBI utilizing a secure and encrypted file transfer protocol. PBI recently notified Milliman Solutions that PBI experienced a data security incident affecting the data of Milliman Solutions’ clients. Specifically, PBI disclosed that it utilized the “MOVEit Transfer” software provided by Progress Software Corporation (“Progress Software”) for PBI’s secure file transfer protocol (“SFTP”) servers. PBI also indicated that it stored Milliman Solutions’ clients’ data on PBI’s SFTP servers utilizing the MOVEit Transfer software. According to information provided to Milliman Solutions by PBI, on or around May 31, 2023, Progress Software disclosed for the first time that its MOVEit Transfer software contained a previously unknown, “zero-day” vulnerability that could be exploited by an unauthorized actor (CVE-2023-34362). PBI also disclosed that it launched an investigation into the nature and scope of the MOVEit vulnerability’s impact to PBI’s systems. According to PBI, its investigation determined that an unauthorized third party accessed one of PBI’s MOVEit Transfer servers on May 29, 2023, and May 30, 2023, and downloaded data. PBI explained it then conducted a manual review of its data to confirm the identities of individuals potentially affected by this event. PBI completed that review on June 16, 2023, and confirmed to Milliman Solutions at that time that the personal information of certain consumers of Milliman Solutions’ clients were affected and Milliman Solutions, following reconciliation of the data, was able to recently inform its clients of the scope of individuals whose information may have been affected. The Milliman Solutions clients whose consumer data was affected by the incident include MEMBERS Life Insurance Company (MLIC), CMFG Life Insurance Company (“CMFG”), and The Independent Order of Foresters (“Foresters”).
- Information Acquired - Name or other personal identifier in combination with: Social Security Number
Notification and Protection Services
- Type of Notification: Written
- Date(s) of consumer notification: Starting 07/17/2023
- Copy of notice to affected Maine residents: PBI - Sample Notification Letter.pdf
- Date of any previous (within 12 months) breach notifications: N/A
- Were identity theft protection services offered: Yes
- If yes, please provide the duration, the provider of the service and a brief description of the service: PBI has retained Kroll to provide credit monitoring, fraud consultation, and identity theft restoration services to all affected Maine residents for 12 months.
