CMS Confirms 3.1 Million Individuals Affected by MOVEit Hack on Wisconsin Physicians Service
The Department of Health and Human Services (HHS) Centers for Medicare and Medicaid Services (CMS) has reported a data breach to the HHS that has affected 3,112,815 individuals. The data breach was the same one the CMS and Wisconsin Physicians Service Insurance Corporation (WPS) announced earlier this month – the exploitation of a zero day vulnerability in the MOVEit Transfer solution by the Clop group in a mass exploitation event in May 2023, as detailed in the post below. In the announcement, the CMS and WPS stated that notifications were being issued to 946,801 individuals.
The same day the announcement was made (September 6, 2024), the CMS submitted a breach report to the HHS on behalf of its business associate, WPS. That breach portal now shows that more than three times as many individuals were affected than the CMS and WPS said they were notifying. The CMS explained the discrepancy in the figures as being due to WPS holding the data of individuals who had deceased, and also that WPS had collected the data of many individuals as part of its work for the CMS who were not Medicare beneficiaries. Notifications were issued to the “946,801 current people with Medicare.”
September 9, 2024: CMS; Wisconsin Physicians Service Insurance Corporation Notify 947K Individuals About May 2023 MOVEit Hack
The Centers for Medicare & Medicaid Services (CMS) and the Wisconsin Physicians Service Insurance Corporation (WPS) are notifying almost 947,000 individuals that some of their protected health information (PHI) and personally identifiable information (PII) was compromised in a May 2023 security breach.
WPS provides administrative services to the CMS in connection with the Medicare program, including the handling of Medicare Part A/B claims. The security breach involved the exploitation of a zero day vulnerability in Progress Software’s MOVEit software, which was used by WPS for transferring files in connection with the services provided to the CMS.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The vulnerability was discovered by Progress Software and a patch was issued on May 31, 2023, to fix the vulnerability; however, the Cl0p ransomware group had already mass exploited the vulnerability and stole files from thousands of MOVEit users in what was the biggest hack of 2023. According to Emsisoft, which has been tracking breach reports, at least 2,773 organizations were affected and the records of almost 96 million individuals were stolen. The worst affected companies were Maximus (11.3 million individuals), Welltok (10 million), and Delta Dental of California and affiliates (6.9 million), with education and healthcare the worst affected sectors, accounting for 39% and 20% of victims respectively.
The CMS has already reported being affected by the MOVEit hack through its contractor Maximus and reported the breach to the HHS’ Office for Civil Rights (OCR) as affecting 2,342,357 individuals. The latest breach report is in addition to the breach at Maximus. While the exploitation of the vulnerability at WPS has yet to appear on the OCR breach portal, the CMS and WPS have confirmed that notifications are being mailed to 946,801 individuals.
According to the notification letters, WPS was notified by Progress Software about the vulnerability on May 31, 2023, and applied the software patch to fix the vulnerability. WPS investigated to determine if the vulnerability had already been exploited, and its 2023 investigation did not uncover any evidence to suggest that the Cl0p group had obtained any copies of files from its MOVEit application.
However, in May 2024, a year after the vulnerability was identified and patched, new information came to light and WPS initiated an additional review of the MOVEit system, assisted by a third-party cybersecurity firm. It was confirmed that the vulnerability had been successfully patched in early June 2023 and there was no further evidence of unauthorized activity within its MOVEit application after the patch had been applied.
However, the 2024 investigation uncovered evidence that the Cl0p group exploited the vulnerability between May 27, 2023, and May 31, 2023, before the patch was applied and exfiltrated files from WPS’s MOVEit application. A portion of the files were analyzed and found to contain no personal information, then on July 8, 2024, while analyzing another batch of files, WPS identified some personal information and informed the CMS about the discovery.
The file review confirmed that the information compromised included the names of Medicare beneficiaries in combination with one or more of the following: Social Security number/individual taxpayer identification number, mailing address, date of birth, gender, hospital account number, date(s) of service, Medicare Beneficiary Identifier (MBI), and/or health insurance claim number. The CMS is continuing to investigate the incident in coordination with WPS, law enforcement agencies, and cybersecurity forensics consultants, and steps will be taken to ensure that personal and protected information is safeguarded. WPS has offered the affected individuals complimentary access to credit monitoring and other services for 12 months.
