Hack involved information transfer software used by contractor.
A May data breach at a contractor may have affected about 612,000 Medicare beneficiaries.
The U.S. Department of Health and Human Services (HHS) and the U.S. Centers for Medicare & Medicaid Services (CMS) announced the hack did not affect their computer systems. But beneficiaries whose personally identifiable information (PII) or protected health information (PHI) will get free credit monitoring for two years.
The data breach involved the MOVEit computer application, developed by Progress Software Corp. to transfer data.
Contractor Maximus Federal Services Inc. was using the app when on May 30, 2023, the company “detected unusual activity” in the program. Maximus stopped using it the next day as Progress Software Corp. “announced that a vulnerability in its MOVEit software had allowed an unauthorized party to gain access to files across many organizations in both the government and private sectors,” said a notification letter sent to Medicare beneficiaries. CMS published the letter online.
On June 2, Maximus notified CMS of the incident and has since applied software security pateches. It appeared hackers obtained copies of files that were saved in the Maximus MOVEit program. Information may include:
Maximus is offering free two-year subscriptions to credit monitoring service Experian. CMS advised beneficiaries to obtain credit reports by calling 1-877-322-8228 or through annualcreditreport.com.
Beneficiaries may continue using their existing Medicare cards until new ones arrive by mail. Beneficiaries should destroy their old cards and inform providers of their new Medicare numbers.