The personal information of 612,000 Medicare beneficiaries were accessed in a sweeping data breach that affected what could be hundreds of organizations, including the government contractor, Maximus Federal Services.
The Centers for Medicare & Medicaid Services (CMS) announced in a press release Friday that it is notifying people affected by the data breach, which could have affected information including beneficiaries, names, Social Security numbers, medical histories, diagnoses and other personal details.
CMS said no CMS or Health and Human Services systems have been affected.
CMS and Maximus, a CMS contractor that assists in the Medicare appeals process, are sending letters to those “potentially affected” and are offering recipients two years of free credit monitoring services.
The letter also provides information on steps to take to receive a new Medicare Beneficiary Identifier number, for the people for whom that is relevant.
The data breach targeted a security vulnerability in the MOVEit software, a third-party application Maximus uses to facilitate the transfer of files during the appeals process.
Maximus determined that at least 8 million to 11 million people were affected by the data breach, including the 612,000 Medicare beneficiaries notified.
The attack took place between approximately May 27 through 31, 2023, according to the most up-to-date information in the CMS ongoing investigation. During that time, the “unauthorized party” obtained access to files saved on the MOVEit application.
On May 30, 2023, Maximus detected unusual activity in the MOVEit software, prompting Maximus to investigate and then stop use of the application. Maximus notified CMS of the incident on June 2, 2023.
Reports indicate that the data breach could have affected more than 400 organizations, affecting approximately 23 million people’s information.
Russian ransomware group Clop reportedly claimed responsibility for the attack.