The Centers for Medicare & Medicaid Services (CMS) announced earlier this month that a data breach stemming from the MOVEit attacks by Cl0p ransomware exposed the health and personal information of over three million health plan beneficiaries.
The breach occurred after hackers infiltrated the Wisconsin Physicians Service (WPS), a health insurance corporation that provides Medicare administrative services. This incident has significant implications for the affected individuals, as it involved the theft of sensitive data.
CMS is a federal agency under the Department of Health and Human Services (HHS) responsible for administering key healthcare programs, including Medicaid and the Children’s Health Insurance Program (CHIP). The agency ensures that these programs comply with federal standards, provides funding support, enforces policies and regulations, and monitors quality and costs, in addition to regulating the health insurance marketplace under the Affordable Care Act (ACA).
In a press release dated September 6, CMS informed the public that it, along with WPS, would notify 946,801 Medicare beneficiaries about the exposure of their personally identifiable information due to the MOVEit attacks. The agency also reported on the breach portal of the U.S. Department of Health and Human Services (HHS) that a total of 3,112,815 individuals had their information compromised.
A CMS spokesperson clarified that the discrepancy in numbers accounts for individuals who are either deceased or were not Medicare beneficiaries but whose data had been collected by WPS in the course of their work for CMS.
According to the CMS release, WPS implemented security updates from Progress Software, the developer of MOVEit Transfer, in early June 2023 and believed at the time that their systems were secure. However, a subsequent review in May 2024 revealed that hackers had breached the WPS network before the security patch was applied and had exfiltrated sensitive files.
By July 8, 2024, while still assessing the stolen files, CMS determined that the breach included various types of information, such as:
As the investigation continues, affected individuals are being offered a 12-month free credit monitoring service from Experian to help mitigate the risks associated with the data exposure.
Although Cl0p has claimed they would delete data belonging to hospitals, healthcare organizations, and U.S. government entities, the reality remains that it is nearly impossible to ensure that the stolen data has not been shared or sold on the dark web.
