Centers for Medicare & Medicaid Services (CMS) is notifying 946,801 Medicare beneficiaries that the May 2023 MOVEit breach compromised their protected health and personal information.
CMS says the data breach affected a third-party contractor that manages Medicare Part A/B claims on its behalf, the Wisconsin Physicians Service Insurance Corporation (WPS).
“On July 8, 2024, WPS notified CMS that files containing protected health information, such as Medicare claims data, and related personally identifiable information… was compromised in a cybersecurity incident involving MOVEit,” CMS said.
Although the widespread MOVEit hack occurred between May 27 and May 31, 2023, CMS was only notified in early July 2024, highlighting the need for real-time monitoring to timely detect data breaches.
The MOVEit developer Progress Software disclosed the zero-day vulnerability on May 31, 2023, and provided patches that WPS applied in June 2023.
However, the Clop ransomware gang had already breached thousands of entities, including government agencies, third-party contractors, and commercial and healthcare organizations, including WPS.
MOVEit breach impacted nearly a million Medicare beneficiaries
WPS confirmed it had promptly patched the MOVEit zero-day vulnerability in June 2023 and launched an investigation that found no evidence of exploitation.
In May 2024, WPS received new information and launched a subsequent investigation, which determined that a threat actor had stolen patient information before the patch was applied.
The firm analyzed one portion of the stolen files and found they had no Medicare beneficiaries’ personal information, although a second portion did.
The subsequent probe determined that the MOVEit breach exposed “protected health information, such as Medicare claims data and related personally identifiable information.”
Details leaked include Medicare beneficiaries’ names, Social Security Numbers or Individual Taxpayer Identification Number, dates of birth, gender, mailing addresses, dates of service, hospital account numbers, and Medicare Beneficiary Identifier (MBI) and/or Health Insurance Claim Number.
The MOVEit breach impacted 946,801 current Medicare beneficiaries and some non-Medicare patients whose personal information was captured to support healthcare providers’ CMS audits.
“The MOVEit breach underscores a stark reality – zero-day vulnerabilities remain a formidable threat even for organizations with robust patch management practices,” said Evan Dornbush, former NSA cybersecurity expert. “While timely patching is essential, sole reliance on it can be perilous. Organizations must adopt a defense-in-depth strategy, including advanced network threat detection capabilities, to mitigate risks posed by elusive zero-day vulnerabilities.”
Meanwhile, CMS has sent data breach notification letters to impacted Medicare beneficiaries with current contact information and published a general alert for everyone else without.
No evidence of misuse but investigations ongoing
So far, CMS has no evidence of the threat actor misusing the stolen information for fraud and other nefarious purposes. The cybersecurity incident also did not affect members’ coverage.
Nevertheless, the federal health plan administrator promised to continue investigating the MOVEit breach and engaged external cyber forensics experts and law enforcement authorities.
In addition, CMS is offering Medicare beneficiaries complimentary credit monitoring services via Experian for 12 months.
The health plan administrator is also providing new Medicare cards with new MBI numbers to individuals whose Medicare Beneficiary Identifiers were “potentially affected.”
Affected Medicare beneficiaries should also monitor their credit report and notify law enforcement authorities of any suspicious activity. CMS has also apologized for any inconveniences the MOVEit breach could have caused impacted individuals.
While CMS attributes the faux pas to a widespread breach affecting thousands of organizations, the federal health plan administrator is no stranger to third-party data breaches.
Last summer, CMS leaked the personal information of 612,000 Medicare beneficiaries via a third-party breach affecting Maximus Federal Services.
However, the CMS data breach is hardly surprising, given that healthcare organizations are among the top targets of cyber attacks, due to the vast amounts of sensitive personal information, health data, and payment information they possess.
