Washington, D.C. 20549

Date of Report (Date of earliest event reported): July 26, 2023

Maximus, Inc.
(Exact name of registrant as specified in its charter)
(State or other jurisdiction of incorporation)
 (Commission File Number)
(I.R.S. Employer Identification No.)
1600 Tysons BoulevardMcLean,VA22102
(Address of principal executive offices)
(Zip Code)
Registrant's telephone number, including the area code(703)251-8500
No Change
(Former name or former address, if changed since last report)

Check the appropriate box below if the Form 8-K filing is intended to simultaneously satisfy the filing obligation of the registrant under any of the following provisions:
    Written communications pursuant to Rule 425 under the Securities Act (17 CFR 230.425)
    Soliciting material pursuant to Rule 14a-12 under the Exchange Act (17 CFR 240.14a-12)
    Pre-commencement communications pursuant to Rule 14d-2(b) under the Exchange Act (17 CFR 240.14d-2(b))
    Pre-commencement communications pursuant to Rule 13e-4(c) under the Exchange Act (17 CFR 240.13e-4(c))

Securities registered pursuant to Section 12(b) of the Act:
Title of each classTrading Symbol(s)Name of each exchange on which registered
Common Stock, no par valueMMSNew York Stock Exchange
Indicate by check mark whether the registrant is an emerging growth company as defined in Rule 405 of the Securities Act of 1933 (§230.405 of this chapter) or Rule 12b-2 of the Securities Exchange Act of 1934 (§240.12b-2 of this chapter).
Emerging growth company
If an emerging growth company, indicate by check mark if the registrant has elected not to use the extended transition period for complying with any new or revised financial accounting standards provided pursuant to Section 13(a) of the Exchange Act. ☐

Item 8.01    Other Events
On May 31, 2023, Progress Software Corporation, the developer of MOVEit (“MOVEit”), a file transfer application used by many organizations to transfer data, announced a critical zero-day vulnerability in the application that allowed unauthorized third parties to access its customers’ MOVEit environments. It appears that a significant number of commercial and government customers worldwide were affected by this vulnerability. Maximus, Inc. (“Maximus” or the “Company”) uses MOVEit for internal and external file sharing purposes, including to share data with government customers pertaining to individuals who participate in various government programs. The Company believes that the personal information of a significant number of individuals was accessed by an unauthorized third party by exploiting this MOVEit vulnerability. The Company is cooperating with law enforcement regarding this cybersecurity incident.

Maximus promptly commenced an investigation of the incident with the assistance of outside legal, forensic and data analytics experts and has taken remedial steps to address the reported vulnerabilities. The Company’s forensic expert has completed the forensic aspects of the investigation, which has identified the files impacted by the cybersecurity incident. The Company’s review of these files is ongoing. At present, there is no indication that the incident has had any impact on the internal information technology systems of the Company or its customers beyond the MOVEit environment, and there has been no material interruption to the Company’s business operations due to the incident.

Based on the review of impacted files to date, the Company believes those files contain personal information, including social security numbers, protected health information and/or other personal information, of at least 8 to 11 million individuals to whom the Company anticipates providing notice of the incident. The Company has been notifying its customers as well as federal and state regulators, and it will provide appropriate notifications to individuals affected by this incident. In addition, individuals receiving notice will be offered free credit monitoring and identity restoration services.

Maximus currently plans to record an expense of approximately $15 million for the quarter ended June 30, 2023 representing the Company’s best estimate of the total investigation and remediation activities to be incurred related to the incident. The information provided in this Current Report on Form 8-K, including the estimated number of impacted individuals and estimated expenses, is preliminary and is based on currently available information and is subject to change during the course of the Company’s ongoing investigation of the cybersecurity incident. The Company’s review of impacted files is ongoing, and the Company is unable to predict the total number of impacted individuals who will receive notice of the incident until that review is completed, which we expect will not be for several more weeks. The Company is also unable to predict other potential liabilities or consequences that may arise from this incident. As the investigation progresses, additional information may become available that could cause the Company’s estimates and preliminary determinations to change.

Forward-Looking Statements

This Current Report on Form 8-K includes forward-looking statements within the meaning of the Private Securities Litigation Reform Act of 1995, which can be identified by words such as “may,” “expected,” “anticipate,” “continue,” or other comparable words. In addition, all statements other than statements of historical facts that address activities that the Company expects or anticipates will or may occur in the future are forward-looking statements. These forward-looking statements are based on the Company’s current beliefs, understandings and expectations regarding the cybersecurity incident and its impact on the Company’s business, operations, and financial results. Factors that could cause actual results to differ materially from those expressed or implied include the Company’s discovery of additional information related to the incident, legal, reputational, and financial risks resulting from the incident, any potential regulatory inquiries, enforcement actions and/or litigation to which the Company may become subject in connection with the incident, any contract terminations, disputes or loss of business, and other additional costs that may be incurred by the Company in connection with the incident, and the risks set forth in the Company’s Annual Report on Form 10-K for the year ended September 30, 2022, filed with the Securities and Exchange Commission on November 22, 2022, and the Company’s other filings with the Securities and Exchange Commission. The Company undertakes no obligation to revise or update any forward-looking statements, or to make any other forward-looking statements, whether as a result of new information, future events or otherwise, except as may be required by law.



Pursuant to the requirements of the Securities Exchange Act of 1934, the registrant has duly caused this report to be signed on its behalf by the undersigned hereunto duly authorized.

Maximus, Inc.
Date: July 26, 2023/s/ David R. Francis
David R. Francis
General Counsel and Secretary