A data breach at a data file sharing service has exposed the personal information of 612,000 Medicare recipients and millions of other health care consumers.
The breach occurred in Progress Software’s MOVEit Transfer software on the corporate network of Maximus Federal Services, one of the Medicare program’s contractors, the Center for Medicare & Medicaid Services (CMS) said in a statement.
Maximus said that up to 11 million people were affected by the breach.
The breach, which occurred in May and was announced by CMS on July 28, involved the personally identifiable information (PII) and protected health information (PHI) of Medicare beneficiaries and/or protected health information.
Specific information that may have been compromised includes names, phone numbers, email addresses, Social Security numbers, healthcare provider and prescription information as well as health insurance claims, CMS said. No CMS or Department of Health and Human Services systems were impacted, the agency added.
CMS and Maximus are sending letters to Medicare beneficiaries who may be impacted by the incident and both are offering free credit monitoring services for two years.
“Data privacy and security are among our top priorities, and we are committed to protecting the data entrusted to us,” Maximus told Kiplinger in a statement. The company said that Maximus and many other companies use MOVEit, and that it is investigating the issue and closely monitoring its systems for any unusual activity.
“To be clear, we have not identified any impact from the MOVEit vulnerability on other parts of our corporate network and remain confident in the integrity of the network,” Maximus said.
Updating security is important
Ani Chaudhuri, CEO at Dasera, a data security firm in Saratoga, California, told Kiplinger that the breach occurred due to an unknown vulnerability in the MOVEit software.
“When the creators of MOVEit announced the vulnerability on May 31, 2023, it was clear the gap allowed unauthorized actors to gain access to MOVEit servers, in this case, compromising sensitive consumer data,” Chaudhuri said.
“Companies like Maximus use [services such as MOVEit] to send, receive and store sensitive information, making them attractive targets for cybercriminals,” he said. “This incident underscores the importance of maintaining robust and updated security measures, regularly auditing software for vulnerabilities, and adopting a proactive approach to data governance.”
"Consumers affected by this breach should stay alert for any phishing attempts, such as email, text, or phone,” said Chris Hauk, who focuses on consumer privacy at Pixel Privacy, an online data protection services company. “The bad actors responsible for the breach or who purchase the information stolen in the breach may use the information they already have to cheat the users out of additional information.”
- New SEC Rules Aim to Curb Investor Costs When Companies Are Hacked
- 7 Smart Moves to Prevent Identity Theft
- Struggling LastPass Suffers New Data Breach. Is Your Account at Risk?