Banner

News

Article

CMS announces data breach affected about 612,000 beneficiaries

Hack involved information transfer software used by contractor.

cms computer image: © Timon - stock.adobe.com

© Timon - stock.adobe.com

A May data breach at a contractor may have affected about 612,000 Medicare beneficiaries.

The U.S. Department of Health and Human Services (HHS) and the U.S. Centers for Medicare & Medicaid Services (CMS) announced the hack did not affect their computer systems. But beneficiaries whose personally identifiable information (PII) or protected health information (PHI) will get free credit monitoring for two years.

The data breach involved the MOVEit computer application, developed by Progress Software Corp. to transfer data.

Contractor Maximus Federal Services Inc. was using the app when on May 30, 2023, the company “detected unusual activity” in the program. Maximus stopped using it the next day as Progress Software Corp. “announced that a vulnerability in its MOVEit software had allowed an unauthorized party to gain access to files across many organizations in both the government and private sectors,” said a notification letter sent to Medicare beneficiaries. CMS published the letter online.

On June 2, Maximus notified CMS of the incident and has since applied software security pateches. It appeared hackers obtained copies of files that were saved in the Maximus MOVEit program. Information may include:

  • Name
  • Social Security number or individual taxpayer identification number
  • Date of birth
  • Mailing address
  • Telephone number, fax number, and email address
  • Medicare beneficiary identifier (MBI) or health insurance claim number (HICN)
  • Driver’s license number and state identification number
  • Medical history or notes, including medical record/account numbers, conditions, diagnoses, dates of service, images, and treatments
  • Healthcare provider and prescription information
  • Health insurance claims and policy or subscriber information
  • Health benefits and enrollment information

Maximus is offering free two-year subscriptions to credit monitoring service Experian. CMS advised beneficiaries to obtain credit reports by calling 1-877-322-8228 or through annualcreditreport.com.

Beneficiaries may continue using their existing Medicare cards until new ones arrive by mail. Beneficiaries should destroy their old cards and inform providers of their new Medicare numbers.

Related Videos
© Mathematica - The Commonwealth Fund
© Mathematica - The Commonwealth Fund
© Mathematica - The Commonwealth Fund
© Mathematica - The Commonwealth Fund