WASHINGTON—The Centers for Medicare & Medicaid Services (CMS) and Wisconsin Physicians Service Insurance Corporation (WPS), a CMS contractor, notified nearly one million individuals whose protected health information or other personally identifiable information (PII) may have been compromised in connection with Medicare administrative services provided by WPS.
The notification followed the discovery of a security vulnerability in the “MOVEit” software, a third-party application developed by Progress Software used by WPS for the transfer of files in providing services and Medicare claims to CMS. WPS is among many organizations in the U.S. that have been impacted by the MOVEit vulnerability. The security incident may have impacted PII of Medicare beneficiaries collected in managing Medicare claims, as well as PII collected to support CMS audits of health care providers individuals visited to receive health care services.
CMS and WPS are mailing written notifications to 946,801 current people with Medicare whose PII may have been exposed, informing them of the breach and explaining actions being taken in response. The CMS is also posting a substitute notice with similar information for those individuals for whom there is insufficient or out-of-date contact information for sending a written notification.
What Happened?
On July 8, WPS notified CMS that files containing protected health information, such as Medicare claims data and related PII, were compromised in a cybersecurity incident involving MOVEit. A vulnerability in the MOVEit software made it possible, between May 27-31, 2023, for unauthorized third parties to gain access to personal information transferred using MOVEit.
Progress Software discovered and disclosed the vulnerability in the MOVEit software to the public on May 31, 2023. Additionally, Progress Software released a software patch to fix the vulnerability. WPS applied the patch and investigated the potential impact of the vulnerability on its systems; however, in the 2023 investigation, WPS did not observe any evidence that an unauthorized party obtained copies of files within the WPS MOVEit application.
In May 2024, acting on new information, WPS conducted an additional review of its MOVEit file transfer system with the assistance of a third-party cybersecurity firm. WPS confirmed it had successfully patched the MOVEit vulnerability in June 2023, after which there was no evidence of further activity by an unauthorized third party. However, the review indicated that, before Progress Software released the patch, an unauthorized third party copied files from WPS’s MOVEit file transfer system. In coordination with law enforcement, WPS evaluated those impacted files and found that a portion of impacted files did not contain any PII.
On July 8, when evaluating a different portion of the impacted files, WPS determined some of the files did contain PII, at which point it informed CMS. However, the PII was contained in the impacted files. The CMS and WPS are not aware of any reports of identity fraud or improper use of the PII as a direct result of this incident.
What Information Was Involved?
CMS has determined that PII was present in certain files involved in this incident. This information may have included the following:
- Name
- Social security number or individual taxpayer identification number
- Date of birth
- Mailing address
- Gender
- Hospital account number
- Dates of service
- Medicare Beneficiary Identifier (MBI) and/or health insurance claim number
What is CMS Doing?
CMS is continuing to investigate this incident in coordination with WPS and aims to take action to safeguard the information entrusted to CMS. The investigation includes collaboration between CMS, WPS and law enforcement agencies, as well as cybersecurity forensic consultants.
What Can You Do?
CMS suggests the following steps to protect the PII of those impacted by the data breach:
Enroll in Experian identity protection monitoring services.
- WPS is offering a complimentary 12 months of credit monitoring and other services from Experian at no cost. In doing so, individuals are not required to use their credit card or any other form of payment to enroll in the service.
Obtain a free credit report.
- Under federal law, individuals affected are entitled to one free credit report every 12 months from each of the three major nationwide credit reporting companies. Upon receiving credit reports, individuals should review them for problems, identify any accounts they did not open or inquiries from creditors that they did not authorize and verify all information is correct. To report any questions or incorrect information, contact the credit reporting company. For suspicious activity on your credit reports or information misuse, call your local law enforcement agency and file a police report.
Continue to use your existing Medicare card.
- Currently, CMS is not aware of any reports of identity fraud or improper use of information as a direct result of this incident. However, if individuals notice their MBI is potentially affected, a new Medicare card with a new number will be issued. In the meantime, continue to use your existing Medicare card. If you receive a new card, CMS recommends:
- Follow the instructions in the letter that comes with your new card.
- Destroy your old Medicare card.
- Inform your providers that you have a new Medicare number.
