As those trying to monitor and analyze the massive MOVEit breach are already aware, the Teachers Insurance and Annuity Association of America (“TIAA”) provided university faculty retirement benefits to a number of colleges and universities. The TIAA part of the breach was not a direct attack on the vendor’s systems. TIAA was notified by its vendor, Pension Benefit Information, that PBI had been affected by the breach.
Attempting to compile all PBI-related numbers has been a challenge. PBI notified the Maine Attorney General on July 11 on behalf of 371,359 customers of clients, but their submission did not indicate exactly which of their clients they were providing notice for. On July 14, PBI notified HHS that 1,209,825 patients or insurance members of HIPAA-covered clients had been affected, and on July 17, Milliman Solutions notified the Maine Attorney General’s Office that 1,280,823 were affected by the attack on PBI. Previous news reports had tallied an additional 5 million or so affected at CalPers, Genworth Financial, and Wilton Reassurance. And even those are not a complete list or estimate of how many of PBI’s clients’ customers were affected in total.
This week, TIAA notified the Maine Attorney General that 2,630,717 of their clients’ consumers had been affected by the attack on PBI. What’s not clear from that report, however, is whether that is a total number for all of TIAA’s clients’ customers or if they are only making that report for a subset of their clients. Perhaps that will become clearer in time. TIAA’s notification template appears below.TIAA Individual Notice