The Centers for Medicare & Medicaid Services (CMS) and Wisconsin Physicians Service Insurance Corporation (WPS) are notifying nearly 946,801 individuals that their personal and health information may have been compromised due to a security vulnerability in the MOVEit software.
What happened
The Centers for Medicare & Medicaid Services (CMS) and Wisconsin Physicians Service Insurance Corporation (WPS) released a press statement on September 6, indicating that they will be notifying individuals whose protected health information (PHI) may have been compromised in a breach linked to Medicare administrative services provided by WPS.
The backstory
On June 27th, the HC3 from the HHS Health Sector Cybersecurity Coordination Center released a warning to healthcare organizations regarding a vulnerability in the MOVEit platform. The HHS mentioned that leaving this weakness unpatched could lead to attacks such as ransomware and data breaches. Staff members working within medical establishments were advised to immediately fix any unforeseen instances with MOVEit integration into their systems at a maximum priority level, keeping up-to-date protection against potential cybersecurity hazards.
Go deeper: HHS issues alert about vulnerability in MOVEit file transfer platform
Going deeper
The incident stemmed from a security vulnerability in the MOVEit software, a third-party application developed by Progress Software, which WPS used to transfer files for CMS services. This breach potentially exposed personally identifiable information (PII) of Medicare beneficiaries involved in managing Medicare claims, as well as PII collected for CMS audits related to healthcare services. The vulnerability allowed unauthorized third parties to access personal information during file transfers between May 27 and May 31, 2023. WPS alerted CMS about the breach on July 8, 2023, and notifications are being sent to 946,801 Medicare recipients.
What was said
“The notification comes following discovery of a security vulnerability in the MOVEit software, a third-party application developed by Progress Software and used by WPS for the transfer of files in providing services to CMS,” the press release stated. “The security incident may have impacted PII of Medicare beneficiaries that was collected in managing Medicare claims as well as PII collected to support CMS audits of healthcare providers that some individuals who are not Medicare beneficiaries have visited to receive healthcare services.”
Furthermore, CMS stated that they will be mailing letters to 946,801 affected individuals. The will also be “posting a substitute notice with similar information for those individuals for whom there is insufficient or out-of-date contact information for sending a written notification.”
The press continues to include a sample of the letter they will be mailing out. This sample includes details of the attack, what information was affected, what they are doing to mitigate the attack, and what the affected individuals can do. In closing, the letter provides contact numbers should the affected individuals have any questions.
Why it matters
The release of the statement from the CMS and WPS serves as an official acknowledgment of a data breach that potentially exposed sensitive PHI and PII of nearly a million Medicare beneficiaries and other individuals.
FAQs
What is MOVEit and why was it vulnerable?
MOVEit is a file transfer software developed by Progress Software, used by organizations to securely transfer data. A vulnerability in the software allowed unauthorized access to files transferred between May 27 and May 31, 2023. Progress Software has since released patches to fix the issue, but cybercriminals exploited the vulnerability before it was addressed.
What steps are CMS and WPS taking to address this breach?
CMS and WPS have patched the vulnerability in the MOVEit software and are working with law enforcement and cybersecurity experts to investigate the breach. Affected individuals are being offered free credit monitoring and identity protection services. New Medicare cards with updated numbers are also being issued to those whose Medicare Beneficiary Identifiers were compromised.
What is being done to prevent future breaches?
CMS and WPS are working with law enforcement, cybersecurity consultants, and forensic experts to strengthen security protocols and ensure that similar vulnerabilities are addressed. Healthcare organizations are urged to assess their use of third-party software and promptly apply security patches to minimize future risks.
Tshedimoso Makhene
