More than 900,000 people in Wisconsin with Medicare have been warned that their personal information may have been stolen after a data breach last year, which targeted the MOVEit file transfer service. The data breach occurred between May 27 and May 31, 2023, when unauthorized third parties gained access to beneficiaries' personal information on MOVEit due to a vulnerability in the online service, according to the Centers for Medicare & Medicaid Services (CMS), the federal agency that manages the Medicare program. Progress Software, the developer of MOVEit, discovered and disclosed the breach on May 31, 2023, but it wasn't until recently that the Wisconsin Physicians Service Insurance Corporation (WPS)—a CMS contractor that handles some Medicare claims in the state—found out that the personal information of thousands of beneficiaries had been compromised.
Wisconsin residents on Medicare are among millions in the country who might have had their personal data stolen during the massive data breach of last year. The CMS was notified by the WPS that files containing protected health information, including Medicare claims data and personally identifiable information (PII), were compromised in the cyberattack. The WPS uses MOVEit software for transferring files during the Medicare claims process, according to the federal agency. Cybersecurity firm Emsisoft estimated that the MOVEit breach might have cost more than $15 billion. The CMS and WPS are currently mailing written notifications to a total of 946,801 people whose personal information may have been exposed, informing them about the actions to take in response.
A substitute notice with similar information has been sent to those whom the two agencies were unable to reach directly because of insufficient or out-of-date contact information. Among the information that could have been compromised during the 2023 breach are Medicare beneficiaries' names, Social Security numbers or Individual Taxpayer Identification Numbers, dates of birth, mailing addresses, gender, hospital account numbers, dates of service, Medicare Beneficiary Identifiers (MBI), and Health Insurance Claim Numbers. The CMS and WPS are recommending beneficiaries continue using their existing Medicare card unless their MBI was potentially affected by the breach, in which case they should request a new card and destroy their old ones.
At the moment, the agency is not aware of any reports of identity fraud or improper use of information as a direct result of this incident. As a precaution, the WPS is offering 12 months of complimentary credit monitoring and other services from Experian at no cost to beneficiaries.