Almost a million Medicare beneficiaries could have been affected by a data breach announced Friday by the Centers for Medicare & Medicaid Services.
The federal agency and the Wisconsin Physicians Service Insurance Corp. are notifying 946,801 Medicare beneficiaries whose protected health information or other personally identifiable information may have been compromised in connection with Medicare administrative services provided by WPS. WPS is a CMS contractor that handles Medicare Part A/B claims and related services for CMS.
“The notification comes following discovery of a security vulnerability in the MOVEit software, a third-party application developed by Progress Software and used by WPS for the transfer of files in providing services to CMS,” CMS said in an announcement, noting that “WPS is among many organizations in the United States that have been impacted by the MOVEit vulnerability.”
The data breach may have involved protected health information that was collected in managing Medicare claims or collected to support CMS audits of healthcare providers, CMS said.
The federal agency said that CMS and WPS are contacting the potentially affected Medicare beneficiaries in writing to inform them of the breach and tell them that their protected health information may have been exposed. In cases where CMS has out-of-date or insufficient contact information for beneficiaries, the agency is posting information online.
Compromised information could have included names, Social Security or individual tax identification numbers, Medicare beneficiary identifiers and/or health insurance claim numbers, birth dates, mailing addresses, gender, hospital account numbers and dates of service, CMS said.
The federal agency and WPS are not aware of any reports of identity fraud or improper use of personal information as a direct result of the incident, according to the announcement. The entities are recommending that those potentially affected continue to use their existing Medicare cards but also enroll in Experian Identity Protection Monitoring Services and obtain a free credit report. Those who believe that their Medicare beneficiary identifier numbers were affected, however, can request new Medicare cards.
WPS notified CMS on July 8 that files containing protected health information were compromised in a cybersecurity incident involving MOVEit, according to a letter sent to potentially affected beneficiaries. A vulnerability in the MOVEit software made it possible for unauthorized third parties to gain access to personal information that was transferred using MOVEit between May 27 and May 31, 2023, the entities said.
Read more in the announcement.
Read more technology-related stories here.
