Skip to main content

CMS Data Breach Exposes Personal Data of 3.1 Million People

The US Centers for Medicare & Medicaid Services (CMS) has confirmed that personal and health information of more than 3.1 million individuals was compromised following a cyberattack on Wisconsin Physicians Service (WPS), a contractor providing Medicare administrative services. The breach, tied to the MOVEit vulnerability, came to light in July 2024 during an internal review.

The incident occurred when hackers exploited a vulnerability in MOVEit Transfer software used by WPS, allowing them to access and steal sensitive data. The breach occurred despite security patches applied in 2023, with a later investigation revealing that the hackers had already infiltrated WPS systems prior to the updates.

CMS, a federal agency within the Department of Health and Human Services (HHS), has begun notifying affected individuals, offering them 12 months of free credit monitoring through Experian to mitigate potential identity theft risks. The attack primarily impacted those using Medicare, though data on some non-Medicare beneficiaries and deceased individuals were also compromised.

CMS confirmed that the information stolen may contain the following:

  • Name
  • Social Security Number or Individual Taxpayer Identification Number
  • Date of Birth
  • Mailing Address
  • Gender
  • Hospital Account Number
  • Dates of Service
  • Medicare Beneficiary Identifier (MBI) and/or Health Insurance Claim Number

In a September 6th press release, CMS announced that both the agency and WPS were alerting 946,801 Medicare recipients regarding the exposure of their personal information. That same day, the agency reported on the HHS’ breach portal that 3,112,815 individuals' data had been compromised.

A CMS spokesperson clarified to BleepingComputer that the discrepancy in numbers was due to the inclusion of individuals who were either deceased or not Medicare beneficiaries, but whose data had been gathered by WPS during their work for CMS.

The hacking group Cl0p, responsible for the MOVEit attacks, has publicly claimed that they would delete data associated with healthcare and government organizations. However, CMS and cybersecurity experts warn that there is no guarantee that the stolen information hasn’t been sold or circulated on the dark web.

As detailed in our original report, the MOVEit attack affected numerous organizations across various sectors, so there might still be similar revelations that have not yet come to light. In related news, Confidant Health, a telehealth provider, recently experienced a data breach exposing sensitive patient information, adding to the growing list of healthcare-related cyber incidents.



See TessMore Internet Business Must-Reads

Comments

Popular posts from this blog

Only 1 in 10 NFT Owners Have Never Experienced a Scam

A new survey from PrivacyHQ reveals 90% or nine out of 10 respondents experienced an NFT scam. This level of uncertainty is cause for concern for a relatively new marketplace that is generating billions of dollars. Only 1 in 10 NFT Owners Have Never Experienced a Scam The PrivacyHQ survey spoke to 1,008 people in the U.S. who are actively investing in and own NFTs. And according to the report, there are some horror stories and great lessons to be learned. The key takeaways from the survey are: Less than half of NFT owners feel their NFTs are secure Two out of 3 respondents said they had panic-sold NFTs in the past Nine out of 10 respondents had experienced an NFT scam Half of the respondents had lost access to their NFTs at some point When it comes to NFT scams there were multiple ways in which buyers were scammed. Topping the list of the most common scams experienced by these respondents starts out with the NFT provider shutting down or changing their URL at 44.8%. Next is...

8 Business Credit Cards Without Personal Guarantee Required

You can get a credit card for your business that doesn’t require a personal guarantee. You’ll need to provide your personal credit score as part of the business credit card application. Credit card issuers for the no personal guarantee requirement type of card can only go after your business if you default. As a small business owner, you won’t be on the hook to pay your business debt with your personal assets. What are business credit cards , and who needs these cards? you might also be asking yourself why should I get a business credit card . If your business has an owner or partner who needs to minimize personal liability, these cards afford financial protection. What are Business Credit Cards With No Personal Guarantees? These types of cards are often called a Corporate Credit Card. That’s because the card is used to pay for expenses of the business, and the business assets (revenue, assets) pay for the credit card debt. A corporate card will have no annual fee. It’s not easy ...

openSNP Shutters Over Privacy and Authoritarianism Concerns

OpenSNP, a long-running open-source genetic data platform, is shutting down after citing growing concerns over data privacy, the misuse of genetic information by law enforcement, and the rise of authoritarian governments. The decision comes as 23andMe, a major source of user-submitted genetic data for openSNP, faces bankruptcy and a potential selloff of user data . Founded in 2011, openSNP allowed users to upload genetic data from services like 23andMe to make it freely available for scientific research. Co-founder Bastian Greshake Tzovaras said the closure was triggered in part by the collapse of 23andMe and the broader political climate. Speaking to TechCrunch, he stated : “The risk/benefit calculus of providing free and open access to individual genetic data in 2025 is very different compared to 14 years ago.” The database has collected roughly 7,500 genomes and supported academic work across biomedical research, information security, and more. But its founder now questions the ...