Fierce Healthcare
July 31, 2023
By Dave Muoio

Hundreds of thousands of beneficiaries are caught up in a Medicare program contractor breach that compromised the personal information of millions of people, according to statements and filings released late last week.

The disclosures represent the latest healthcare victims of a vulnerability in the MOVEit file transfer application, detected by software maker Progress Software in late May.

Contractor Maximus Federal Services, which uses the software for internal and external file-sharing purposes, said it detected unusual activity within its MOVEit environment May 30, per a Securities and Exchange Commission filing from the company and a notice from the Centers for Medicare & Medicaid Services (CMS). Maximus stopped all use of the application May 31 and notified CMS June 2.

To date, Maximus and CMS said there has been no evidence that the contractor’s system was compromised. However, “approximately 612,000 current Medicare beneficiaries” are estimated to be impacted by the breach. These individuals may have had personal information (including their name, Social Security number and address) or personal health information (including medical history, provider and benefits enrollment) copied by an unauthorized party.

“When the incident was discovered, Maximus began an investigation, took the MOVEit application offline, applied MOVEit software patches, and notified law enforcement,” CMS wrote in letters being sent to beneficiaries that may be affected. “CMS is continuing to investigate this incident in coordination with Maximus and will take all appropriate actions to safeguard the information entrusted to CMS.”

Medicare beneficiaries whose data may have been exposed are being offered free credit monitoring for 24 months, along with information on how to receive one of their annual free credit reports and whether they need to use a new Medicare card.

Read More at Fierce Healthcare.