Medicare recipients may be affected by data breach

Medicare data breach overview: 

• Who: The Centers for Medicare & Medicaid Services and Wisconsin Physicians Service Insurance Corporation are informing nearly 1 million Medicare beneficiaries that their personal information may have been exposed during last year’s data breach involving the MOVEit file transfer system. 
• Why: The Wisconsin Physicians Service said it initially did not think it was affected by the MOVEit data breach prior to conducting an additional review of the incident in May. 
• Where: The Medicare data breach affects certain Medicare recipients nationwide. 

Nearly 1 million Medicare recipients are being notified that their protected health information or other personally identifiable information (PII) may have been exposed during last year’s MOVEit file transfer system data breach. 

The Centers for Medicare & Medicaid Services (CMS) and the Wisconsin Physicians Service Insurance Corporation (WPS) are notifying Medicare beneficiaries whose PII could have been compromised during the data breach, according to the CMS. 

The CMS said the data breach may have exposed PII collected by the WPS from Medicare beneficiaries when managing Medicare claims or PII that was collected to support CMS audits of healthcare providers that some non-Medicare beneficiaries have visited to receive healthcare. 

“CMS and WPS are mailing written notifications to 946,801 current people with Medicare whose PII may have been exposed, informing them of the breach and explaining actions being taken in response,” the CMS said. 

The agencies said information potentially exposed in the MOVEit data breach includes names, birthdates, mailing addresses, genders, hospital account numbers, dates of service and Social Security numbers, among other things. 

Medicare data breach exposed beneficiaries’ information

The CMS said the WPS notified it on July 8 that files containing protected health information were compromised during the MOVEit data breach in May 2023. 

The WPS said it did not observe any evidence that it was impacted by the MOVEit data breach at the time of incident, according to the CMS, which said another review conducted by the WPS in May 2024 found an unauthorized third party had in fact copied files from it during the data breach. 

According to the CMS, the WPS initially believed the stolen files did not contain any personal information; however, a later evaluation of a different portion of the impacted files found some of the files did contain personal information. 

“On July 8, 2024, when evaluating a different portion of the impacted files, WPS determined that some of the files contained Personal Information, at which point it informed CMS,” the CMS said. 

The CMS said the agencies are not aware of any reports of identity fraud or improper use of any of the exposed beneficiary data. Affected Medicare beneficiaries will also be receiving a new Medicare card and number, according to a sample letter from the WPS. 

Separately, the Department of Health and Human Services and the CMS jointly announced last summer that the MOVEit data breach may have affected more than 600,000 current Medicare beneficiaries.

Are you affected by the Medicare data breach? Let us know in the comments.

Read About More Class Action Lawsuits & Class Action Settlements:

• Avis data breach reportedly affects nearly 300,000 customers
• Builders Mutual Insurance Co. data breach class action to proceed with settlement
• Dick’s Sporting Goods confirms data breach
• Toyota data breach exposes customer, employee info