Personal Information of 612K Medicare Recipients Exposed in Data Breach

Posted on by Lucas Wilson

A data breach in a service for sharing data files has led to the exposure of personal information belonging to 612,000 Medicare recipients and millions of other healthcare consumers. The breach took place within Progress Software’s MOVEit Transfer software on the network of Maximus Federal Services, a contractor for the Medicare program, as stated by the Center for Medicare & Medicaid Services (CMS). Maximus confirmed that the breach impacted up to 11 million individuals. To receive Kiplinger’s Personal Finance newsletter with valuable advice on investing, taxes, retirement, personal finance, and more directly to your email, make sure to subscribe now! Don’t miss out on expert advice; profit and prosper! The incident occurred in May and was announced by CMS on July 28. It involved the compromise of personally identifiable information (PII) and protected health information (PHI) of Medicare beneficiaries and/or protected health information. The compromised data includes names, phone numbers, email addresses, Social Security numbers, healthcare provider and prescription information, as well as health insurance claims, confirmed by CMS. Thankfully, CMS and Maximus are taking action by sending letters to potentially affected Medicare beneficiaries and offering free credit monitoring services for a duration of two years. “Data privacy and security are among our top priorities, and we are committed to protecting the data entrusted to us,” stated Maximus in response to Kiplinger’s inquiry. The company also mentioned that it, along with many other companies, utilizes MOVEit and is currently investigating the incident while closely monitoring its systems for any unusual activity. Ani Chaudhuri, CEO of Dasera, a data security firm, explained that the breach occurred due to an unknown vulnerability in the MOVEit software. According to Chaudhuri, after the vulnerability was announced by MOVEit’s creators at the end of May 2023, it became evident that unauthorized individuals could access MOVEit servers, which subsequently compromised sensitive consumer data in this case. As Chaudhuri emphasizes, companies like Maximus, who utilize services like MOVEit to send, receive, and store sensitive information, become prime targets for cybercriminals. This incident underscores the significance of maintaining strong and up-to-date security measures, conducting regular software audits for vulnerabilities, and taking a proactive approach to data governance. Chris Hauk, an expert in consumer privacy at Pixel Privacy, an online data protection services company, advises consumers affected by this breach to remain vigilant against phishing attempts such as email, text, or phone scams. The individuals responsible for the breach or those who obtain the stolen information may use it to deceive users and potentially gather additional information from them.