On September 6, 2024, CMS released a press release regarding a possible compromise of private data of up to a million people. The data incident occurred at the WPS MAC. "CMS and WPS apologize for the inconvenience..."
Find the CMS press release here:
See coverage at HealthCareDive here:
###
See a summary below [Chat GPT 4o].
CMS Notifies Nearly 1 Million Individuals of Data Breach Linked to MOVEit Vulnerability
September 6, 2024—In a critical development for those monitoring Medicare-related cybersecurity, the Centers for Medicare & Medicaid Services (CMS) and its contractor, Wisconsin Physicians Service Insurance Corporation (WPS), have begun notifying nearly 950,000 individuals about a data breach that may have compromised their personally identifiable information (PII). The breach stems from vulnerabilities in the MOVEit file transfer software, a third-party solution used by WPS in connection with its Medicare administrative services.
The breach, which is part of a broader cybersecurity issue impacting numerous organizations across the U.S., specifically affected data managed by WPS on behalf of CMS. The compromised data includes sensitive information from Medicare beneficiaries and potentially other individuals whose PII was processed as part of CMS's audit functions.
Scope and Timeline of the Incident
According to CMS, the vulnerability in MOVEit software was exploited between May 27 and May 31, 2023. Despite a patch being applied shortly after Progress Software, MOVEit’s developer, disclosed the vulnerability in June 2023, subsequent investigations revealed that unauthorized parties accessed and copied certain files before the patch was implemented. It wasn't until a second, more detailed review in May 2024 that the full extent of the breach was identified, with WPS confirming that some of the compromised files contained Medicare beneficiaries' PII.
The breach has raised significant concerns, particularly for CMS policy experts who oversee regulatory compliance and data security measures tied to Medicare administration. As a result, 946,801 individuals have been mailed notices about the incident, with CMS also issuing public substitute notices for those whose contact information may be out of date.
Information Compromised and Immediate Steps
The compromised data includes a range of personal information, such as:
- Names
- Social Security Numbers (SSNs) or Individual Taxpayer Identification Numbers (ITINs)
- Medicare Beneficiary Identifiers (MBIs)
- Dates of birth
- Health Insurance Claim Numbers (HICNs)
- Hospital account numbers
- Dates of service
While there is currently no confirmed evidence of identity fraud linked to the breach, CMS and WPS are taking precautionary measures. These include offering complimentary identity protection and credit monitoring services for 12 months, and the issuance of new Medicare cards with updated MBIs for affected individuals. CMS has emphasized that Medicare benefits themselves remain unaffected.
Broader Implications for Medicare Contractors and Data Security
For policymakers, this incident underscores the challenges in securing third-party software used by contractors handling Medicare claims and related audits. The breach not only puts the spotlight on MOVEit and similar software but also raises questions about the oversight and rapid response protocols for protecting Medicare beneficiaries' sensitive data.
In particular, the breach highlights the need for ongoing collaboration between CMS, its contractors, and law enforcement agencies, as well as the importance of proactive cybersecurity audits and breach disclosure transparency.
As the regulatory landscape around health data protection tightens, this breach will likely serve as a key case study in shaping future policies on third-party vendor risk management, with potential ripple effects across both Medicare Part A/B claims contractors and broader healthcare data security frameworks.
Moving Forward
CMS and WPS are continuing to work with law enforcement and cybersecurity experts to investigate the incident and safeguard affected systems. This breach is likely to fuel ongoing discussions among Medicare policy experts about the balance between efficiency in claims processing and the imperative of ensuring data security in outsourced services.
For stakeholders, the MOVEit breach represents a pivotal moment, reminding all actors involved in Medicare administration of the critical importance of robust cybersecurity safeguards and rapid response mechanisms. As more details emerge, the policy community will be watching closely to understand how CMS and its contractors address the long-term implications of this breach for data privacy and Medicare's operational integrity.
