Centers for Medicare & Medicaid Services

Your Personal Info Could Be

Exposed Online After

This Hospital Breach

Breach Description

The Centers for Medicare & Medicaid Services (CMS) experienced a data breach in May 2023 due to a vulnerability in Progress Software’s MOVEit Transfer software, which was used by their contractor, Maximus Federal Services, Inc. This breach resulted in the exposure of personally identifiable information (PII) and protected health information (PHI) of approximately 612,000 current Medicare beneficiaries[1].

The breach was detected on May 30, 2023, when Maximus observed unusual activity in its MOVEit application. The use of the application was halted on May 31, 2023, and CMS was notified on June 2, 2023. The investigation revealed that the unauthorized party obtained copies of files containing beneficiaries’ personal information, including names, Social Security Numbers, dates of birth, addresses, Medicare Beneficiary Identifier (MBI) numbers, and medical history, among other details[1].

CMS and Maximus are sending letters to individuals who may have been impacted, notifying them of the breach and the actions being taken in response. Affected individuals are being offered free credit monitoring services and information on how to obtain a free credit report. For those whose MBI numbers may have been compromised, CMS is issuing new Medicare cards with new numbers[1].

In a separate incident, another CMS subcontractor, Healthcare Management Solutions, LLC (HMS), experienced a ransomware attack in October 2022 that potentially exposed the data of 254,000 Medicaid beneficiaries. This breach involved sensitive data such as banking information, Social Security Numbers, and Medicare entitlement, enrollment, and premium information[2].

CMS has emphasized that no CMS systems were breached and no Medicare claims data were involved in these incidents. The agency continues to investigate and take necessary actions to safeguard the information entrusted to it. Beneficiaries are advised to destroy their old Medicare cards upon receipt of the new ones and to contact their financial institutions if necessary[2].

These breaches are part of a larger trend of increasing cyberattacks on healthcare systems, with federal records indicating that from 2010 to 2022, data breaches exposed 385 million patient records. Healthcare organizations are required to notify the HHS Office for Civil Rights when breaches affect the health information of more than 500 people[6].

The healthcare sector experienced approximately 295 breaches affecting over 39 million individuals in the first half of 2023 alone, highlighting the growing challenge of cybersecurity in the healthcare industry[7].

Citations:

  1. https://www.cms.gov/newsroom/press-releases/cms-responding-data-breach-contractor
  2. https://fedscoop.com/cms-subcontractor-data-breach/
  3. https://www.ajmc.com/view/what-we-re-reading-health-data-breaches-medicaid-grassroots-groups-pcp-shortage-impact
  4. https://www.cms.gov/newsroom/press-releases/cms-responding-data-breach-subcontractor
  5. https://federalnewsnetwork.com/federal-newscast/2023/07/ransomware-attackers-steal-personal-info-of-over-600k-medicare-beneficiaries/
  6. https://www.healthcaredive.com/news/tracking-healthcare-data-breaches-cybersecurity-hacking-hospitals/696184/
  7. https://www.fiercehealthcare.com/health-tech/612000-medicare-beneficiaries-join-millions-whose-data-was-compromised-moveit-breach
  8. https://www.cnbc.com/2022/12/16/some-medicare-enrollees-getting-new-id-numbers-due-to-data-breach.html
  9. https://www.wbaltv.com/article/maryland-data-breaches-federal-investigation/44177180
  10. https://www.medicare.gov/media/document/incident-notification-letterenglish.pdf?linkit_matcher=1
  11. https://www.aha.org/news/headline/2023-07-28-medicare-beneficiaries-alerted-contractor-data-breach
  12. https://www.bankinfosecurity.com/medicare-breach-a-20727
Breach Submission Date Jul 28, 2023
Converted Entity Name Centers for Medicare & Medicaid Services
Converted Entity Type Health Plan
State MD
Individuals Affected 2,342,357
Breach Type Hacking/IT Incident

Breach Information Location Network Server

Business Associate Present Yes