The Department of Health and Human Services (HHS) and the Centers for Medicare and Medicaid Services (CMS) are responding to a data breach in one of their contractor’s software that is affecting over 600,000 Medicare beneficiaries.
On May 30, Maximus Federal Services, Inc. (Maximus) notified CMS about “unusual activity” on the software tool MOVEit Transfer, which both CMS and Maximus use to transfer files during the Medicare appeals process.
“CMS and Maximus are sending letters to individuals who may have been impacted notifying them of the breach, and explaining actions being taken in response. CMS estimates the MOVEit breach impacted approximately 612,000 current Medicare beneficiaries,” the agency said in a July 28 press release.
In the letter, CMS and Maximus encourage affected individuals to partake in a free 24-month credit monitoring service through Experian. The letter also suggests that those affected get a free credit report done, which they are entitled to under Federal law.
CMS notes that the Medicare beneficiaries can continue to use their existing Medicare cards, as no identity fraud has been found thus far due to the breach.
The letter explains that “To date, the ongoing investigation indicates that on approximately May 27 through 31, 2023, the unauthorized party obtained copies of files that were saved in the Maximus MOVEit application, but that no CMS system has been compromised.”
According to CMS and Maximus, the information that was exposed in the breach includes:
- Social Security Number or Individual Taxpayer Identification Number;
- Telephone Number, Fax Number, & Email Address;
- Medicare Beneficiary Identifier (MBI) or Health Insurance Claim Number (HICN);
- Driver’s License Number and State Identification Number;
- Medical History/Notes;
- Healthcare Provider and Prescription Information;
- Health Insurance Claims and Policy/Subscriber Information; and
- Health Benefits & Enrollment Information.
Since the breach, Maximus has taken the software offline, applied MOVEit software patches, and notified law enforcement.
“CMS is continuing to investigate this incident in coordination with Maximus and will take all appropriate actions to safeguard the information entrusted to CMS,” the agency said.