The data of at least 100,000 people could have been exposed after a cyber attack on the US Department of Health.

() The data of at least 100,000 people could have been exposed by a cyber attack on contractors of the US Department of Health and Human Services, an agency official said Thursday. This makes the Department of Health (HHS) the latest US government agency to be affected by the wide-ranging cyberattack related to hackers russians.

HHS notified Congress of the data breach Tuesday and will keep lawmakers informed as the investigation progresses, according to the official. Agencies are required to report these types of incidents to Congress when they compromise the personal information of 100,000 or more people.

“Although no HHS systems or networks were affected, the attackers accessed the data by exploiting the vulnerability in the third-party MOVEit Transfer software,” the official told .

MOVEit is the popular file transfer software that alleged Russian cybercriminals have exploited in recent weeks to compromise the data of dozens of companies, schools, and government agencies in the US and around the world. US company Progress Software, which makes MOVEit, released a security update for the software, but the hackers they had already been several days ahead in accessing the systems.

was the first outlet to report that the MOVEit vulnerability had affected multiple US agencies, including the Department of Energy, the Office of Personnel Management and the Department of Agriculture.

BloombergNews initially reported access to data from the Department of Health.

Federal officials have attributed the hacking campaign to a Russian-speaking group known as CLOP. Typically, hackers steal victims’ data instead of encrypting their computers with ransomware and use the information to make extortion demands.

CLOP’s impact on federal agencies has been limited, according to authorities, but elsewhere they have been able to access the personal data of millions of Americans. The Louisiana and Oregon departments of motor vehicles and the California public pension fund were victims of the data breach.

Well-known agencies and companies that have been victims of cyberattack also continue to appear.

A Siemens Energy spokesperson told on Tuesday that the company was “among the targets” of the cyberattack, but that “no critical data was compromised and our operations have not been affected.”

The University of California, Los Angeles suffered the attack on its MOVEit platform on May 28, a spokesperson told on Tuesday. “This is not a ransomware incident,” the spokesperson said. “There is no evidence of any impact on any other systems on campus.”

It is known that the hackers they have demanded tens of millions of dollars in ransom in previous cyberattacks. However, they are posting much of the data stolen with the MOVEit vulnerability on their dark-web extortion site, a sign that some efforts to extract ransoms have failed.

Some victims have paid the criminals, Charles Carmakal, an executive at Mandiant Consulting, a Google-owned company hired by some victims to respond to the cyberattack, previously told . It is not clear how many of the victims have paid the hackers nor the amount of money they gave. Carmakal and others have declined to comment on the matter.

Now, even a handful of high-paying victims can be profitable and fuel future cyberattacks.

“We have many active forensic investigations related to this vulnerability involving data theft and extortion with unusually high ransom demands,” Shane Sims, a former FBI supervisory special agent who is now CEO of cybersecurity firm Kivu Consulting, told . “Victims span the US and UK, and include the financial, industrial, legal, healthcare and technology sectors.”