The Centers for Medicare & Medicaid Services (CMS) and Wisconsin Physicians Service Insurance Corporation (WPS) have begun notifying individuals of a data breach.
What happened
Early this month, the CMS and WPS began notifying approximately one million individuals regarding a data breach.
Protected health information (PHI) and other personally identifiable information (PII) were compromised in WPS’ Medicare administrative services. WPS is a CMS contractor that handles certain Medicare claims and related services.
The breach is connected to the MOVEit software vulnerability, a third-party application that was developed by Progress Software and used to transfer files between organizations. The MOVEit breach, which occurred in 2023, had impacted numerous healthcare organizations.
Going deeper
The notice said that the CMS became aware of the incident on July 8th, 2024, when WPS notified the organization. In connection with the MOVEit vulnerability, CMS data was accessed between May 27th and May 31st, 2023. The MOVEit vulnerability was disclosed to the public on May 31st, 2023, but many companies continued to investigate the breach, which had a unique impact on each organization.
At the time, WPS applied a vulnerability patch and investigated the breach, ultimately believing that CMS files had not been accessed.
However, in May 2024, WPS found reason to conduct an additional investigation, this time with the assistance of a third-party cybersecurity firm. The investigation determined that the 2023 patch had been successful, but that before that, some information had been accessed by a malicious actor.
On September 6th, the CMS began sending notices to the 946,801 impacted individuals. In the notice, the CMS disclosed that the following data may have been accessed:
- Names
- Social Security Numbers or Individual Taxpayer Identification Numbers
- Dates of birth
- Mailing addresses
- Gender information
- Hospital account numbers
- Dates of service
- Medicare Beneficiary Identifier (MBI) and/or Health Insurance Claim Number.
What was said
CMS and WPS said that are currently “not aware of any reports of identity fraud or improper use” of personal information but are providing resources for individuals who may wish to monitor their credit.
“CMS is continuing to investigate this incident in coordiantion with WPS and will take all appropriate actions to safeguard the information entrusted to CMS,” the notice read. The CMS, WPS, and law enforcement continue to collaborate.
The big picture
While the MOVEit vulnerability happened over a year ago, organizations continue to report its impact, showing the sprawling impact of third-party breaches.
More than ever, healthcare organizations work with vendors and other companies for administrative processes, software, and more. The interconnected nature of the healthcare system improves its efficiency and allows organizations to specialize in their services, but can also increase an organization’s vulnerability to attack.
For the CMS and WPS, the breach will likely result in increased scrutiny over security processes and safeguards.
Related: HIPAA Compliant Email: The Definitive Guide
Abby Grifno
