612K Medicare beneficiaries join millions whose data was compromised in MOVEit breach

Hundreds of thousands of beneficiaries are caught up in a Medicare program contractor breach that compromised the personal information of millions of people, according to statements and filings released late last week.

The disclosures represent the latest healthcare victims of a vulnerability in the MOVEit file transfer application, detected by software maker Progress Software in late May.

Contractor Maximus Federal Services, which uses the software for internal and external file-sharing purposes, said it detected unusual activity within its MOVEit environment May 30, per a Securities and Exchange Commission filing from the company and a notice from the Centers for Medicare & Medicaid Services (CMS). Maximus stopped all use of the application May 31 and notified CMS June 2.

To date, Maximus and CMS said there has been no evidence that the contractor's system was compromised. However, “approximately 612,000 current Medicare beneficiaries” are estimated to be impacted by the breach. These individuals may have had personal information (including their name, Social Security number and address) or personal health information (including medical history, provider and benefits enrollment) copied by an unauthorized party.

“When the incident was discovered, Maximus began an investigation, took the MOVEit application offline, applied MOVEit software patches, and notified law enforcement,” CMS wrote in letters being sent to beneficiaries that may be affected. “CMS is continuing to investigate this incident in coordination with Maximus and will take all appropriate actions to safeguard the information entrusted to CMS.”

Medicare beneficiaries whose data may have been exposed are being offered free credit monitoring for 24 months, along with information on how to receive one of their annual free credit reports and whether they need to use a new Medicare card.

In its filing, Maximus said it believes that “at least 8 to 11 million individuals” whose data it handles using MOVEit may have been impacted and will be notified of the incident. Though there has not been any material interruption to its business operations due to the breach, the company plans to record a roughly $15 million expense related to its investigation and remediation.

The CL0P ransomware group began stealing data from MOVEit Transfer databases May 27, federal agencies warned the industry in a mid-June cybersecurity advisory. Cybersecurity firm Emsisoft estimates that, as of July 31, at least 546 organizations and nearly 37.7 million individuals have been impacted by the vulnerability, with about half of those affected representing the finance and professional services/education sectors.

A handful of healthcare providers are also among those whose systems, and customers, have been affected by the MOVEit vulnerability. Among these are UT Southwestern Medical Center, UofLHealth, Harris Health System, Johns Hopkins All Children’s Hospital and Johns Hopkins Medicine, the latter of which is facing legal complaints from patients.

The healthcare sector saw roughly 295 breaches affecting over 39 million individuals during the first half of 2023, according to the Department of Health and Human Services' Office for Civil Rights. Recent weeks have also included word of an 11 million-patient data breach at hospital chain HCA Healthcare, which has also led to a spattering of lawsuits from disgruntled patients.