Photo: eclipse/Getty Images
The Centers for Medicare & Medicaid Services and the Wisconsin Physician Services Insurance Corporation are mailing written notices to 946,801 people whose protected health information or other personally identifiable information may have been exposed as a result of the cyber breach.
A security vulnerability was found in MOVEit software, a third-party application used to transfer files to CMS. The app was developed by Progress Software and used by Wisconsin Physicians Service Insurance Corporation.
Progress Software discovered and publicly disclosed a vulnerability in its MOVEit software on May 31, 2023. The company released a software patch, which WPS applied.
During its initial investigation, WPS found no evidence that copies of files within the WPS MOVEit application had been obtained by an unauthorized third party. However, in May of this year, based on new information, WPS engaged a third-party cybersecurity firm to conduct additional research.
On July 8, after evaluating another portion of the affected files, WPS determined that between May 27-31, 2023, an unauthorized third party copied the files from WPS’s MOVEit file transfer system.
That same day, WPS notified CMS that files containing protected health information, including Medicare claims data, and related personally identifiable information, had been compromised.
After the patch was applied in early June 2023, we found no evidence of further activity by unauthorized third parties.
Why is this important?
The exposed information could include name, Social Security number or individual taxpayer identification number, date of birth, mailing address, gender information, hospital account number, date of service, Medicare Beneficiary Identifier (MBI) and/or health insurance claim number.
CMS said it is continuing to work with law enforcement and cybersecurity forensic consultants and in coordination with WPS to investigate the incident.
“While CMS and WPS are not aware of any misappropriations of personal information or reports of misuse of personal information as a direct result of this incident, we are taking this opportunity to notify you so that, if you wish, you can take advantage of the information and resources described in this notice,” CMS said in the letter.
CMS is providing information about free credit monitoring and is providing new Medicare cards with new Medicare numbers to those potentially affected. Medicare benefits and coverage will not be affected.
WPS is offering Experian credit monitoring and other services free for 12 months.
The Federal Trade Commission recommends that you regularly review your credit report. Under federal law, you are entitled to one free credit report every 12 months. For more information, call 1-877-322-8228 or visit www.annualcreditreport.com.
Anyone who notices suspicious activity is asked to contact their local police and file a police report.
For more information, call Experian at 833-931-5700 or 1-800-MEDICARE (1-800-633-4227).
Larger trends
Wisconsin Physicians Service is a CMS contractor that processes Medicare Part A and/or B claims and related services for CMS.
According to CMS, WPS is one of many organizations in the U.S. affected by the MOVEit vulnerability. The security incident may have affected personal information of Medicare beneficiaries collected in the administration of Medicare claims, and may have also affected individuals who are not Medicare beneficiaries when provider data is collected to support CMS audits.
According to the UK National Cyber Security Centre, organisations outside the US are also affected by the MOVEit vulnerabilities.
The cyberattack exploited a flaw in MOVEit’s managed file transfer service, which is used to securely transfer sensitive files, according to Lepide. The attack began on May 27, 2023, and took advantage of a zero-day vulnerability that allowed hackers to inject SQL commands to access MOVEit customers’ databases, the report said. The hackers are believed to be linked to the Cl0p ransomware group.
Email the author: SMorse@himss.org
The HIMSS Healthcare Cybersecurity Forum is scheduled to take place in Washington, DC from October 31 to November 1. Learn more and register.
