Massive Data Breach Discloses Private Details of Hundreds of Thousands

Massive Data Breach Discloses Private Details of Hundreds of Thousands

Medicare data breach reveals sensitive information of nearly 900,000 Americans, creating heightened concerns over identity theft and financial fraud.

At a Glance

  • CMS and WPS are alerting individuals about potential PHI and PII compromise linked to Medicare services.
  • The breach, tied to MOVEit software vulnerability, has exposed data, including Social Security numbers and medical records.
  • Approximately 946,801 current Medicare beneficiaries affected; notifications are being sent.
  • Maximus, a third-party provider, reports up to 11 million individuals’ data may be compromised.

The Scope of the Breach

A significant data breach has impacted nearly 900,000 Americans enrolled in Medicare, exposing their sensitive information. The Centers for Medicare & Medicaid Services (CMS) and the Wisconsin Physicians Service Insurance Corporation (WPS) have begun notifying affected individuals. The compromised data includes Social Security numbers, medical records, and other personal details, raising serious concerns over potential identity theft and financial misuse.

The breach is linked to a vulnerability in the MOVEit software, developed by Progress Software. This software was used by WPS for file transfers related to Medicare services. The issue arose from a flaw that allowed unauthorized access to sensitive data between May 27 and May 31, 2023. Despite the vulnerability being patched in early June 2023, unauthorized third parties had already copied files. CMS and WPS discovered the breach on July 8, 2024.

Impact on Medicare Beneficiaries

The compromised information may include names, Social Security numbers, dates of birth, mailing addresses, gender, hospital account numbers, dates of service, and Medicare identifiers. Written notifications are being sent to 946,801 current Medicare beneficiaries whose PII may have been exposed. For those with outdated or insufficient contact information, a substitute notice will be posted.

“The compromise of the MOVEit secure file transfer has been attributed to the Russian ransomware gang known as Clop and has struck multiple government and private-sector organizations, including health care organizations. These attacks demonstrate our cyber adversaries’ strategic targeting of those third-party applications and services that provide the broadest access to networks and sensitive data. As a result, we should identify and apply enhanced security and monitoring controls to these systems. These attacks also demonstrate that no organization is immune from data breaches, and the enormous complexity in managing third- and fourth-party cyber risk. We look forward to continuing to work with the federal government in the exchange of cyberthreat intelligence and risk mitigation practices to help defend against our common cyber adversaries.” – John Riggi, AHA’s national advisor for cybersecurity and risk

Despite the scale of the breach, CMS and WPS are not aware of any identity fraud or misuse of the compromised information to date. However, they urge affected individuals to remain vigilant and monitor their accounts for any suspicious activities. Additionally, hackers linked to the Russian ransomware gang known as Clop are reportedly responsible for the breach.

Measures to Mitigate the Impact

To mitigate the breach’s impacts, affected individuals are offered 12 months of free credit monitoring services from Experian. CMS and WPS advise obtaining free credit reports and monitoring for suspicious activity. New Medicare cards with new numbers will also be issued to the affected beneficiaries.

CMS and WPS are investigating the incident in coordination with law enforcement and cybersecurity consultants to ensure comprehensive security measures are implemented. Affected individuals are encouraged to contact Experian’s dedicated response line or call 1-800-MEDICARE for further information.

Sources:

  1. CMS Notifies Individuals Potentially Impacted by Data Breach
  1. 900,000 Americans on Medicare Warned of Data Breach
  1. Medicare beneficiaries alerted to contractor data breach
  1. MoveIT breach exposes data of 612K Medicare beneficiaries, CMS says
  1. CMS Responding to Data Breach at Contractor
  1. Data Breach Exposes Personal Information of 612K Medicare Recipients
  1. Nearly 1 million Wisconsin Medicare users had information leaked in MOVEit breach
  1. Medicare Data Exposed in Data Breach at Boston Consulting Firm
  1. Healthcare Data Breaches: Insights and Implications
  2. Medicare Data Breach 2024: What You Need to Know