CMS announced it is addressing a data breach that occurred in Progress Software's MOVEit Transfer software on the corporate network of Maximus Federal Services, Inc. a contractor to the Medicare program. The breach involved personally identifiable information (PII) and protected health information (PHI) of Medicare beneficiaries. HHS and CMS confirm that no systems belonging to them were impacted by the breach. Letters are being sent to potentially affected individuals, notifying them of the breach and explaining the steps being taken in response. It is estimated that around 612,000 current Medicare beneficiaries may have been affected.
Maximus discovered the breach after detecting unusual activity on May 30, 2023. Investigation revealed that a vulnerability in the third-party application, MOVEit software, had allowed unauthorized access to files across multiple organizations, including Maximus. CMS and Maximus are offering free credit monitoring services for 24 months to those affected and are providing information on obtaining a free credit report. Beneficiaries whose Medicare Beneficiary Identifier (MBI) may have been impacted will be issued new Medicare cards with new numbers. CMS emphasizes that its systems remain uncompromised and that appropriate actions are being taken to safeguard information.
Click here to learn more.