MOVEit Transfer Breach Impacts 612K Medicare Beneficiaries, CMS Says

July 31, 2023 - The Centers for Medicare & Medicaid Services (CMS) notified 612,000 Medicare beneficiaries of a data breach stemming from a vulnerability in Progress Software’s MOVEit Transfer software. The breach occurred on the network of Maximus Federal Services, a contractor of the Medicare program.

As previously reported, many organizations were impacted by the critical MOVEit Transfer vulnerability, which involved a SQL injection flaw allowing unauthorized actors to gain access to MOVEit transfer’s database, infer information about the structure and contents of the database, and alter database elements.

The notorious Clop ransomware group took interest in the vulnerability in May and claimed attacks on a variety of organizations using this software.

According to CMS, Maximus utilizes the MOVEit software to transfer files during the Medicare appeals process. On May 30, 2023, Maximus detected unusual activity within its MOVEit application and stopped using it. Later that day, Progress Software announced that a vulnerability in MOVEit had enabled an unauthorized actor to access files across government and private sector organizations.

“Maximus notified CMS of the incident on June 2, 2023. To date, the ongoing investigation indicates that on approximately May 27 through 31, 2023, the unauthorized party obtained copies of files that were saved in the Maximus MOVEit application, but that no CMS system has been compromised,” a notice to impacted individuals stated.

“After notifying CMS, Maximus then began to analyze the files to determine which data had been affected. As part of that analysis, it was determined that those files contained some of your personal information.”

The impacted data included names, Social Security numbers, Medicare Beneficiary Identifiers, driver’s license numbers addresses, dates of birth, medical information, and health insurance information.

“When the incident was discovered, Maximus began an investigation, took the MOVEit application offline, applied MOVEit software patches, and notified law enforcement,” CMS stated.

“CMS is continuing to investigate this incident in coordination with Maximus and will take all appropriate actions to safeguard the information entrusted to CMS.”

CMS offered 24 months of credit monitoring services to impacted individuals and instructed impacted beneficiaries on how to obtain a new Medicare card with a new beneficiary number.