A recent investigation has revealed that the data breach at Wisconsin Physicians Service (WPS) and the Centers for Medicare & Medicaid Services (CMS) has compromised the information of 3.1 million individuals.
The data breach stemmed from a zero-day vulnerability discovered in the MOVEit Transfer software, which was exploited by the Clop ransomware group in a mass exploitation event back in May 2023. The vulnerability allowed the cybercriminals to access files stored on WPS's MOVEit application, which the company used to transfer data in connection with its administrative services for the CMS Medicare program.
Initially, the CMS and WPS announced that the breach had affected 946,801 individuals, but the latest reports from the government agency have revealed a much more extensive impact. The CMS has now submitted a breach report to the Department of Health and Human Services (HHS) stating that 3,112,815 individuals were affected by this incident.
The discrepancy in the reported figures is because WPS held data on individuals who had since passed away, as well as data on many non-Medicare beneficiaries that the company had collected as part of its work for the CMS. While the initial notifications were sent to the "946,801 current people with Medicare," the full extent of the breach was much larger.
The compromised information included a range of sensitive data, such as names, Social Security numbers, individual taxpayer identification numbers, mailing addresses, dates of birth, gender, hospital account numbers, dates of service, Medicare Beneficiary Identifiers (MBIs), and health insurance claim numbers.
The CMS and WPS have been working closely with law enforcement agencies, cybersecurity experts, and other stakeholders to investigate the incident and ensure the protection of personal and protected information going forward.
WPS has stated that it applied the software patch to fix the vulnerability immediately after being notified by Progress Software on May 31, 2023. However, the company's subsequent investigation in 2024 revealed that the Clop group had successfully exploited the vulnerability and exfiltrated files from the MOVEit application during the period between May 27 and May 31, 2023, before the patch was applied.
The CMS and WPS data breach shows how urgent it is for healthcare organizations to take a hands-on approach to cybersecurity. Addressing vulnerabilities quickly, ensuring software is up to date, and having strong incident response plans in place are all necessary steps. Working closely with software vendors and regularly revisiting data protection strategies should be at the forefront for any organization looking to protect sensitive information.
The CMS data breach presents several lessons for improving cybersecurity strategies and practices:
These measures will help organizations prevent breaches and ensure that they are prepared to respond quickly and effectively when incidents occur.
The MOVEit platform is a trusted file transfer solution used extensively in healthcare and by government agencies due to its security features for handling sensitive data like protected health information (PHI). Its popularity stems from its ability to securely transfer files while adhering to regulatory standards such as HIPAA.
The alert issued by the HHS Health Sector Cybersecurity Coordination Center (HC3) states a vulnerability in MOVEit that, if exploited, could lead to data breaches and ransomware attacks. Healthcare organizations are urged to promptly patch their MOVEit instances to mitigate these risks and safeguard patient information.
To protect against potential cyber threats targeting the MOVEit vulnerability, healthcare organizations should immediately apply the patches released by Progress, the developers of MOVEit. Additionally, implementing cybersecurity measures, conducting regular vulnerability assessments, and ensuring staff are trained in cybersecurity best practices are beneficial steps in enhancing overall security posture.