IT News: CMS Reports Data Breach: 612K Medicare Beneficiaries’ Information Compromised

In a recent development, the Centers for Medicare & Medicaid Services (CMS) has disclosed a concerning data breach that has affected approximately 612,000 Medicare beneficiaries. The breach, which occurred through the third-party application provider Progress Software Corporation’s MOVEit software, has raised concerns about the security of sensitive information within the healthcare sector.

The Breach Timeline:

On May 30, 2023, an unusual activity was detected in the MOVEit application by Maximus, prompting an immediate investigation. Subsequently, all use of the application was suspended on May 31, 2023. Progress Software Corporation later confirmed that a vulnerability in their MOVEit software had been exploited by unauthorized parties, leading to unauthorized access to files across various organizations in both government and private sectors.

Maximus promptly notified CMS of the incident on June 2, 2023. Although CMS assures that no compromise of their systems occurred, the breach did impact data stored in the Maximus MOVEit application between May 27 and 31, 2023.

Data Compromised:

The compromised data included sensitive information such as:

• Name
• Social Security Number or Individual Taxpayer Identification Number
• Date of Birth
• Mailing Address
• Telephone Number, Fax Number, & Email Address
• Medicare Beneficiary Identifier (MBI) or Health Insurance Claim Number (HICN)
• Driver’s License Number and State Identification Number
• Medical History/Notes, including medical record/account numbers, conditions, diagnoses, dates of service, images, treatments, etc.
• Healthcare Provider and Prescription Information
• Health Insurance Claims and Policy/Subscriber Information
• Health Benefits & Enrollment Information

Response and Actions Taken:

In response to the breach, Maximus initiated an investigation, temporarily disabled the MOVEit application, and applied software patches to address the vulnerability. Law enforcement was also informed about the incident. CMS is actively collaborating with Maximus to investigate the breach and ensure the security of affected beneficiaries’ information.

Protective Measures for Affected Beneficiaries:

• Enroll in Experian Identity and Credit Monitoring Services: Impacted individuals are eligible for 24 months of complimentary credit monitoring and other services from Experian, provided by Maximus.
• Obtain a Free Credit Report: Beneficiaries are encouraged to request their free credit reports to check for any suspicious activity or unauthorized inquiries, as recommended by the Federal Trade Commission (FTC).
• Use Existing Medicare Card: While there have been no reported instances of identity fraud, beneficiaries whose Medicare Beneficiary Identifier (MBI) was compromised will receive a new Medicare card with a new number.

Interesting Read: Explore CybersecurityDive’s detailed timeline on the MOVEit mass exploit attacks.

Stay Informed:

CMS and Maximus prioritize the privacy and security of beneficiaries’ information. If you have questions or concerns about the breach, you can reach out to the dedicated and confidential response line provided by Experian or contact 1-800-MEDICARE for general inquiries.

CMS and its partners are diligently working to address the situation and safeguard the affected individual’s personal information.

Please stay tuned for further updates and follow recommended steps to mitigate any potential risks associated with this breach. Your vigilance and proactive actions can play a crucial role in safeguarding your personal information.