The Social Security numbers of nearly one million Medicare beneficiaries may have been exposed in a data breach linked to a vulnerability in software used by a Medicare contractor in Wisconsin, the federal government has announced.
The breach occurred between May 27 and May 31, 2023, due to a vulnerability in MOVEit, a third-party software developed by Progress Software, which WPS used to transfer files as part of the Medicare claims process.
The breach was first disclosed publicly by Progress Software on May 31, 2023, and a patch to address the vulnerability was released soon after. However, a subsequent investigation by WPS in May 2024 uncovered new evidence that unauthorized third parties had accessed and copied files containing sensitive information before the patch was applied.
On July 8, 2024, WPS notified CMS that some of the affected files contained personal information including Social Security numbers, which can be damaging if exploited, as it opens the door to identity theft and fraud.
“At this time, we are not aware of any reports of identity fraud or improper use of your information as a direct result of this incident,” CMS and WPS stated in a notification letter to those affected.
CMS said it’s working with law enforcement and cybersecurity consultants to safeguard the personal information of Medicare beneficiaries.
The agency also emphasized that beneficiaries’ Medicare coverage or benefits have not been impacted by the breach. New Medicare cards with updated Medicare Beneficiary Identifiers will be issued to those whose identifiers have been compromised. CMS advised beneficiaries to continue using their current cards until they receive new ones in the mail.
WPS, in coordination with CMS and law enforcement, is continuing to investigate the breach. The contractor has offered affected individuals 12 months of free credit monitoring and identity protection services, according to the agency.
The online extortion group Cl0p claimed responsibility for the breach reported by CISA but stated they would not use the stolen data from government agencies.