An article from 
Dive Brief
The incident was related to a vulnerability in the MOVEit file transfer software, which was linked to data breaches at thousands of organizations last year.
Published Sept. 9, 2024
This audio is auto-generated. Please let us know if you have feedback.
Dive Brief:
- A data breach at a CMS contractor may have exposed the personal and health information of 946,801 current Medicare beneficiaries, the agency said Friday.
- Wisconsin Physicians Service Insurance Corporation, which manages Medicare Part A and B claims and related services for the CMS, notified the regulator in July that enrollee data may have been compromised last year due to a vulnerability in its MOVEit file transfer software.
- The MOVEit vulnerability, which cyber criminals exploited to steal data, was linked to data breaches at thousands of organizations, including government agencies, contractors, providers, payers and other healthcare companies.
Dive Insight:
The vulnerability in the MOVEit software allowed unauthorized actors to access information that was transferred with the application at WPS in late May 2023, the CMS said. But the vulnerability was patched, and WPS determined no third parties had been able to take copies of files that were in its MOVEit app, according to an investigation conducted in 2023.
However, the contractor learned new information, and began another review in May this year. The latest investigation found an unauthorized party had copied files from the software before it was fixed, and some affected files contained personal information.
The breach may have affected personally identifiable information of Medicare beneficiaries that was collected to manage claims as well as data used for provider audits, which may have included information from people covered by other payers, according to the breach notice.
The CMS and WPS added that they weren’t aware of any reports of identity fraud or improper use of data as a result of the incident.
Their report comes more than a year after Progress Software, the maker of MOVEit, was alerted to a vulnerability in the application, which is frequently used by organizations that hold sensitive data like government agencies and highly regulated industries. Data from some companies was exposed multiple times through breaches at their vendors.
This isn’t the first time that data from Medicare beneficiaries has been impacted by a MOVEit breach. Last summer, the CMS reported information from approximately 612,000 Medicare beneficiaries was compromised due to a breach at its contractor Maximus Federal Services.
The agency later reported the incident may have affected an additional 330,000 people who currently have Medicare.
The CMS was far from the only healthcare organization impacted by MOVEit. Welltok, a patient engagement company, said vulnerabilities in the file transfer software allowed an unauthorized person to take data last year, exposing information of more than 14 million people, according to a report to the HHS’ Office for Civil Rights.
Organizations like IT vendor Nuance Communications, health plan CareSource, Harris Health System and Blue Shield of California were also affected by MOVEit-related breaches.
Ricky Zipp 
Susanna Vogel