Personal Data Breached for Nearly 1 Million Medicare Enrollees

Protected health information for nearly 1 million Medicare beneficiaries may have been compromised by a 2023 “security vulnerability” in software used by a Medicare contractor in Wisconsin, the Biden administration reported Friday.

The Centers for Medicare & Medicaid Services and the Wisconsin Physicians Service Insurance Corp. (WPS), a CMS contractor that handles Medicare hospital and outpatient claims, are mailing written notifications to 946,801 Medicare beneficiaries whose information may have been exposed.

The actions follow the July 8, 2024, discovery of a “security vulnerability in the MOVEit software, a third-party application developed by Progress Software and used by WPS for the transfer of files” during the Medicare claims process, a CMS press release said.

“A vulnerability in the MOVEit software made it possible, between May 27 through 31, 2023, for unauthorized third parties to gain access to Personal Information that was transferred using MOVEit,” the agency said in a notification letter.

The information included names, Social Security and taxpayer ID numbers, dates of birth, addresses, hospital account numbers, and Medicare Beneficiary Identifier (MBI) and/or health insurance claim numbers.

“At this time, we are not aware of any reports of identity fraud or improper use of your information as a direct result of this incident,” the CMS notification letter said. “However, if your MBI was potentially affected, a new Medicare card with a new number will be issued to you. CMS will mail the new card to your address in the coming weeks. In the meantime, you can continue to use your existing Medicare card.”

The CMS continues to investigate the breach in coordination with WPS and cybersecurity forensic consultants. The agency “will take all appropriate actions to safeguard the information entrusted to CMS,” the letter said.

The WPS is among many organizations in the US that were affected by the MOVEit vulnerability, a CMS press release noted.

“Progress Software, the developer of MOVEit, discovered and disclosed the vulnerability in the MOVEit software to the public on May 31, 2023,” the notification letter said. “Progress Software released a software patch to fix the vulnerability. WPS applied the patch and investigated the potential impact of the vulnerability on its systems. However, in the 2023 investigation, WPS did not observe any evidence that an unauthorized party obtained copies of files that were within the WPS MOVEit application.”

But acting on new information in May 2024, WPS “conducted an additional review of its MOVEit file transfer system” and found that before Progress Software released the patch, “an unauthorized third party copied files from WPS’s MOVEit file transfer system,” the letter said.

“In coordination with law enforcement, WPS evaluated some of those impacted files,” according to the letter. “On July 8, 2024, WPS determined that some of the files contained Personal Information, at which point it informed CMS.”

WPS is offering a complimentary 12 months of credit monitoring and other services from Experian at no cost to those affected. People who notice suspicious activity on their credit reports are urged to contact local law enforcement agencies and file a police report.