600K Medicare beneficiaries’ data accessed in breach

The following column was originally posted by The Hill, and yet when we searched the link (several of them) the original column would not open up – it was frozen. ~ Editor

The personal information of 612,000 Medicare beneficiaries were accessed in a sweeping data breach that affected what could be hundreds of organizations, including the government contractor, Maximus Federal Services.

The Centers for Medicare & Medicaid Services (CMS) announced in a press release Friday that it is notifying people affected by the data breach, which could have affected information including beneficiaries, names, Social Security numbers, medical histories, diagnoses and other personal details.

No CMS or Health and Human Services systems have been affected, according to the CMS.

CMS and Maximus, a CMS contractor that assists in the Medicare appeals process, are sending letters to those “potentially affected” and are offering recipients two years of free credit monitoring services.

The letter also provides information on steps to take to receive a new Medicare Beneficiary Identifier number, for the people for whom that is relevant.

The data breach targeted a security vulnerability in the MOVEit software, a third-party application Maximus uses to facilitate the transfer of files during the appeals process.

Maximus determined that at least 8 million to 11 million people were affected by the data breach, including the 612,000 Medicare beneficiaries notified.

The attack took place approximately from May 27-31, according to the most up-to-date information in the CMS ongoing investigation. During that time, the “unauthorized party” obtained access to files saved on the MOVEit application.

On May 30, Maximus detected unusual activity in the MOVEit software, prompting Maximus to investigate and then stop use of the application. Maximus notified CMS of the incident June 2.

Reports indicate that the data breach could have affected more than 400 organizations, affecting approximately 23 million people’s information.

Russian ransomware group Clop reportedly claimed responsibility for the attack .

Written by Sarah Fortinsky for Newsbreak ~ July 31, 2023

FAIR USE NOTICE: This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available in our efforts to advance understanding of environmental, political, human rights, economic, democracy, scientific, and social justice issues, etc. We believe this constitutes a ‘fair use’ of any such copyrighted material as provided for in section 107 of the US Copyright Law. In accordance with Title 17 U. S. C. Section 107, the material on this site is distributed without profit to those who have expressed a prior interest in receiving the included information for research and educational purposes. For more information go to: http://www.law.cornell.edu/uscode/17/107.shtml

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.