Nearly one million Medicare beneficiaries have recently learned that their personal information may have been compromised in a data breach last year. This incident comes on the heels of another incident …. and highlights the ongoing challenges in protecting sensitive healthcare data and the importance of staying vigilant about your personal information.
GET SECURITY ALERTS, EXPERT TIPS – SIGN UP FOR KURT’S NEWSLETTER – THE CYBERGUY REPORT HERE
The breach: What happened?
The Centers for Medicare & Medicaid Services (CMS) is notifying 946,801 Medicare beneficiaries that their personal data may have been exposed due to a security vulnerability in the MOVEit file transfer software used by Wisconsin Physicians Service Insurance Corp., a CMS contractor.
On July 8, 2024, Wisconsin Physicians Service Insurance Corp. (WPS) informed the Centers for Medicare & Medicaid Services (CMS) about a cybersecurity incident involving MOVEit, a file transfer software. This incident compromised files containing protected health information, including Medicare claims data and other personally identifiable information.
The vulnerability in the MOVEit software allowed unauthorized access to personal information between May 27 and May 31, 2023. Progress Software, the developer of MOVEit, discovered and publicly disclosed this vulnerability on May 31, 2023, promptly releasing a software patch to address the issue.
WPS immediately applied the patch and conducted an initial investigation, which did not reveal any evidence of unauthorized file access at that time. However, in May 2024, new information prompted WPS to conduct a more thorough review with the assistance of a third-party cybersecurity firm. This review confirmed that while the vulnerability was successfully patched in early June 2023, an unauthorized third party had copied files from WPS’s MOVEit system before the patch was applied.
In coordination with law enforcement, WPS evaluated the impacted files. Initially, the examined portion did not contain personal information. However, on July 8, 2024, WPS discovered that some files in a different portion did contain personal information, leading to the immediate notification of CMS.
As of now, CMS and WPS are not aware of any reports of identity fraud or misuse of personal information resulting directly from this incident. Nevertheless, they are taking proactive measures to notify potentially affected individuals and provide resources to help protect their personal information.
It’s important to note that this incident does not affect current Medicare benefits or coverage.
Timeline of events
- May 27-31, 2023: Vulnerability in MOVEit software exploited
- May 31, 2023: Progress Software discovers and discloses the vulnerability
- Early June 2023: WPS patches the MOVEit vulnerability
- May 2024: WPS conducts an additional review
- July 8, 2024: WPS informs CMS about the breach
- September 11, 2024: CMS notifies affected individuals
The delay in notification was primarily due to the time required for a thorough investigation and confirmation of the breach’s extent.
What information was exposed?
The compromised data potentially includes:
- Names
- Addresses
- Birth dates
- Social Security numbers
- Medicare Beneficiary Identifiers (MBIs)
- Hospital account numbers
- Dates of services
Steps being taken by CMS
The Centers for Medicare & Medicaid Services (CMS) and Wisconsin Physicians Service Insurance Corp. are taking comprehensive measures to address the data breach and protect affected beneficiaries. They have initiated a process of mailing written notifications to all individuals whose information may have been compromised. These notifications provide detailed information about the breach and offer guidance on protective steps.
In addition to the notifications, CMS and its contractor are offering affected beneficiaries complimentary credit monitoring services for a period of 12 months. This service will help individuals monitor their credit reports for any suspicious activity that could indicate identity theft or fraud.
Furthermore, CMS is taking the proactive step of issuing new Medicare cards to beneficiaries whose Medicare Beneficiary Identifiers (MBIs) were potentially exposed in the breach. These new cards will contain updated MBIs, effectively invalidating the compromised numbers and adding an extra layer of security to beneficiaries’ accounts.
To ensure transparency and provide clear guidance, WPS has prepared a comprehensive letter that is being sent to all potentially affected individuals. This letter outlines the nature of the breach, the specific information that may have been compromised, and detailed instructions on how to utilize the offered protection services. It also includes contact information for further assistance and answers to frequently asked questions, helping beneficiaries navigate this challenging situation with as much support as possible.
We reached out to CMS for a comment on this article, and a rep provided this statement,
We take the privacy and security of your Medicare information very seriously. CMS and WPS apologize for the inconvenience this incident might have caused you.
HACKED, SCAMMED, EXPOSED: WHY YOU’RE ONE STEP AWAY FROM DISASTER ONLINE
What you should do
If you’re a Medicare beneficiary, here are some steps you can take to protect yourself:
1) Watch for official communication: CMS will send letters to affected individuals. Be cautious of unsolicited calls or emails claiming to be from Medicare.
2) Monitor your credit: Take advantage of the free credit monitoring services offered if you receive a notification letter.
3) Review your Medicare summary notices: Check for any unfamiliar charges or services.
4) Be alert for scams: Beware of anyone contacting you about needing a new Medicare card. This is likely a scam.
5) Contact Medicare directly: If you’re concerned, call 1-800-MEDICARE to ask if your account was involved in any data breaches.
6) Report suspicious activity: If you suspect fraud, contact your state’s Senior Medicare Patrol for guidance.
7) Be cautious with digital communications: Don’t click on any links or download attachments in unsolicited emails, texts, or social media messages claiming to be from Medicare or related to the data breach. These could be phishing attempts to gather more of your personal information. The best way to protect yourself from clicking malicious links is to have antivirus protection installed on all your devices. This can also alert you of any phishing emails or ransomware scams.
My top pick is TotalAV, and you can get a limited-time deal for CyberGuy readers: $19 your first year (80% off) for the TotalAV Antivirus Pro package.
8) Use an identity theft protection service: Identity Theft companies can monitor personal information like your Social Security Number (SSN), phone number, and email address and alert you if it is being sold on the dark web or being used to open an account. They can also assist you in freezing your bank and credit card accounts to prevent further unauthorized use by criminals.
My top recommendation is Identity Guard. One of the best parts of using Identity Guard is that they might include identity theft insurance of up to 1 million dollars to cover losses and legal fees and a white glove fraud resolution team where a US-based case manager helps you recover any losses.
CyberGuy’s Exclusive Offer (Save 52%): Get the Identity Guard Ultra protection to protect your identity and credit for as little as $9.99/mo (lowest offered anywhere) for the first year.
See my tips and best picks on how to protect yourself from identity theft.
9) Consider using a data removal service: Given that Medicare beneficiary information may be exposed online due to data breaches, consider using a reputable data removal service. These services can help reduce your digital footprint by removing your personal information from various online databases and people-search websites. This can make it more difficult for scammers to find and misuse your information. However, be cautious when selecting such a service and ensure it’s legitimate, as some scammers may pose as data removal services to collect more of your personal information.
A service like Incogni can help you remove all this personal information from the internet. It has a very clean interface and will scan websites for your information and remove it and keep it removed.
Special for CyberGuy Readers (60% off): Incogni offers A 30-day money-back guarantee and then charges a special CyberGuy discount only through the links in this article of $5.99/month for one person (billed annually) or $13.19/month for your family (up to 4 people) on their annual plan and get a fully automated data removal service, including recurring removal from 190+ data brokers. You can add up to 3 emails, 3 home addresses and 3 phone numbers (U.S. citizens only) and have them removed from data-broker databases. I recommend the family plan because it works out to only $4.12 per person per month for year-round coverage. It’s an excellent service, and I highly recommend at least trying it out to see what it’s all about.
Get Incogni for your family (up to 4 people) here
Protecting your Medicare information
To safeguard your Medicare data in the future. Never share your Medicare number with unsolicited callers or emailers. Be cautious about giving personal information over the phone or online. Regularly review your Medicare statements for any unusual activity. Keep your Medicare card in a safe place, just like you would a credit card.
Tell Kurt: See how your opinion stacks up
Kurt’s key takeaways
While data breaches are unfortunately becoming more common, staying informed and taking proactive steps can help mitigate potential risks. Remember, Medicare will never call you unsolicited to ask for personal information or to issue a new card. If you’re ever in doubt, hang up and call Medicare directly using the official number on your card or the Medicare website. By staying vigilant and following these guidelines, you can help protect your personal and healthcare information from potential misuse.
Given the increasing frequency and scale of data breaches in the healthcare sector, what additional measures do you think Medicare and its affiliated organizations should implement to better protect beneficiaries’ personal information and prevent future security incidents? Let us know in the comments below.
FOR MORE OF MY SECURITY ALERTS, SUBSCRIBE TO MY FREE CYBERGUY REPORT NEWSLETTER HERE
Copyright 2024 CyberGuy.com. All rights reserved. CyberGuy.com articles and content may contain affiliate links that earn a commission when purchases are made.
7 comments
I believe that anyone that has a breach of any information from them and other platforms should be responsible for any and all $$$; to be paid to restore your credit…
Yes they have all our info and it’s time for them to have some skin in the game. I am a victim of NPD breach and of yet have not received so much as an apology from them. This is serious business and if they have the rights to all my personal info ( which makes it not personal) then by their negligence they should pay for a protection plan and it should be for a lifetime and if your identity is stolen they should pay and do everything to make it back right. These class action suits where the lawyers get rich and you get 20 bucks is unacceptable.
Hitting Medicare in the pocketbook only hurts taxpayers. When a data breach occurs, upper management heads should be fired for cause. THAT would create good results.
Thank you for looking out for all of us. I appreciate it very much.
The CEO and the IT department should pay for lifetime identity protection services and stop using moveit. My self I got 4 letters from companies that used Moveit. They will only pay for 2 year. If there is a class action lawsuit it should be 2 separate ones: one for the company & one on the CEO. Also when the people are caught and have be convicted part of the sentence should be what some other countries do to thieves.
Upper management should be responsible as they should be making certain they are protecting customers with the best antivirus / hacking available.
Management and the IT dept are the links between the data theft and the personal data banked with the entity. To hold the innocent public responsible is totally irresponsible. The targets are top management for fiduciary malfeasance and the IT dept for professional breach of trust.