The Centers for Medicare & Medicaid Services (CMS) and the Wisconsin Physicians Service Insurance Corp. (WPS) are sending written notifications to 946,801 Medicare beneficiaries whose personal information may have been exposed due to a security vulnerability in the MOVEit software. WPS, a CMS contractor that handles Medicare hospital and outpatient claims, uses MOVEit for file transfers during the Medicare claims process.
The vulnerability in the MOVEit software, developed by Progress Software, made it possible for unauthorized third parties to gain access to personal information transferred using MOVEit between May 27 and May 31, 2023. The compromised information included names, Social Security and taxpayer ID numbers, dates of birth, addresses, hospital account numbers, and Medicare Beneficiary Identifier (MBI) and/or health insurance claim numbers. CMS stated that they are not aware of any reports of identity fraud or improper use of the information as a direct result of this incident.
However, if an individual’s MBI was potentially affected, a new Medicare card with a new number will be issued to them in the coming weeks. In the meantime, beneficiaries can continue to use their existing Medicare cards.
Medicare data breach response efforts
WPS applied a software patch released by Progress Software to fix the vulnerability and investigated the potential impact on its systems. In a 2023 investigation, WPS did not observe any evidence of unauthorized access to files within the WPS MOVEit application. However, acting on new information in May 2024, WPS conducted an additional review and found that an unauthorized third party had copied files from WPS’s MOVEit file transfer system before the patch was released.
On July 8, 2024, WPS determined that some of the files contained personal information and informed CMS. WPS is offering a complimentary 12 months of credit monitoring and other services from Experian at no cost to those affected. People who notice suspicious activity on their credit reports are urged to contact local law enforcement agencies and file a police report.
CMS continues to investigate the breach in coordination with WPS and cybersecurity forensic consultants, stating that they will take all appropriate actions to safeguard the information entrusted to them. The MOVEit vulnerability has affected many organizations in the US, and the incident has led to international outrage, with the hackers reportedly earning between $75 million to $100 million from ransoms.
