By Tom Ozimek
Contributing Writer
The Social Security numbers of nearly one million Medicare beneficiaries may have been exposed in a data breach linked to a vulnerability in software used by a Medicare contractor in Wisconsin, the federal government has announced.
The Centers for Medicare & Medicaid Services said in a Sept. 6 news release that a data breach at Wisconsin Physicians Service Insurance Corp., one of its contractors, may have exposed the personal information of 946,801 Medicare beneficiaries. The exposed information includes not only names and Social Security numbers but also taxpayer identification numbers, Medicare Beneficiary Identifiers, dates of birth, addresses, and hospital account numbers.
The breach occurred between May 27 and May 31, 2023, due to a vulnerability in MOVEit, a third-party software developed by Progress Software, which WPS used to transfer files as part of the Medicare claims process.
The breach was first disclosed publicly by Progress Software on May 31, 2023, and a patch to address the vulnerability was released soon after. However, a subsequent investigation by WPS in May 2024 uncovered new evidence that unauthorized third parties had accessed and copied files containing sensitive information before the patch was applied.
On July 8, 2024, WPS notified CMS that some of the affected files contained personal information including Social Security numbers, which can be damaging if exploited, as it opens the door to identity theft and fraud.
“At this time, we are not aware of any reports of identity fraud or improper use of your information as a direct result of this incident,” CMS and WPS stated in a notification letter to those affected.
CMS said it’s working with law enforcement and cybersecurity consultants to safeguard the personal information of Medicare beneficiaries.
The agency also emphasized that beneficiaries’ Medicare coverage or benefits have not been impacted by the breach. New Medicare cards with updated Medicare Beneficiary Identifiers will be issued to those whose identifiers have been compromised. CMS advised beneficiaries to continue using their current cards until they receive new ones in the mail.
WPS, in coordination with CMS and law enforcement, is continuing to investigate the breach. The contractor has offered affected individuals 12 months of free credit monitoring and identity protection services, according to the agency.
The MOVEit vulnerability, first discovered in May 2023, has had widespread impacts, affecting both government and private organizations. The Cybersecurity and Infrastructure Security Agency reported on June 15 that multiple federal agencies were compromised due to this vulnerability in the widely used file transfer software.
The online extortion group Cl0p claimed responsibility for the breach reported by CISA but stated they would not use the stolen data from government agencies.