900,000 Americans on Medicare Warned of Data Breach

More than 900,000 people in Wisconsin with Medicare have been warned that their personal information may have been stolen after a data breach last year which targeted the MOVEit file transfer service.

The data breach occurred between May 27 and May 31, 2023, when “unauthorized third parties” gained access to beneficiaries’ personal information on MOVEit due to a “vulnerability” in the online service, according to the Centers for Medicare & Medicaid Services (CMS), the federal agency that manages the Medicare program.

Progress Software, the developer of MOVEit, discovered and disclosed the breach on May 31, 2023, but it wasn’t until recently that the Wisconsin Physicians Service Insurance Corporation (WPS)—a CMS contractor which handles some Medicare claims in the state—found out that the personal information of thousands of beneficiaries had been compromised.

Wisconsin residents on Medicare are among millions in the country who might have had their personal data stolen during the massive data breach of last year. According to the CMS, the agency was notified by the WPS that files containing protected health information, including Medicare claims data and personally identifiable information (PII), were compromised in the cyberattack.

The WPS uses the MOVEit software for transferring files during the Medicare claims process, according to the federal agency. Cybersecurity firm Emsisoft estimated that the MOVEit breach might have cost more than $15 billion.

The CMS and WPS are now mailing written notifications to a total of 946,801 people whose personal information may have been exposed, telling them what actions to take in response. A substitute notice with similar information has been sent to people with Medicare whom the two agencies were unable to reach directly because of insufficient or out-of-date contact information.

Among the information that could have been compromised during the 2023 breach are Medicare beneficiaries’ names, Social Security number of Individual Taxpayer Identification Numbers, dates of birth, mailing addresses, gender, hospital account numbers, dates of service, Medicare Beneficiary Identifiers (MBI) and Health Insurance Claim Numbers.

The CMS and WPS are recommending beneficiaries continue using their existing Medicare card unless their MBI was potentially affected by the breach. In that case, they should ask for a new card and destroy their old ones. At the moment, the agency is “not aware” of any reports of “identity fraud or improper use of your information as a direct result of this incident.”

The WPS is also offering a complimentary 12 months of credit monitoring and other services from Experian at no cost to beneficiaries.

Newsweek contacted the CMS for comment by email on Sunday morning.