TLDR:
- 946,801 Medicare beneficiaries notified of May 2023 MOVEit breach
- Protected health and personal information compromised
In September 2024, the Centers for Medicare & Medicaid Services (CMS) disclosed that nearly a million Medicare beneficiaries were impacted by the May 2023 MOVEit breach. The breach, affecting a third-party contractor managing Medicare claims, exposed protected health information and personally identifiable data. Despite efforts to patch the zero-day vulnerability, the Clop ransomware gang exploited the system, stealing Medicare beneficiaries’ names, Social Security Numbers, dates of birth, and more.
WPS, the contractor, confirmed the breach and launched investigations to determine the extent of the data exposure. Measures are being taken to address the breach, including providing credit monitoring services and new Medicare cards to potentially affected individuals. While there is no evidence of misuse of the stolen information, CMS continues to work with cyber forensics experts and law enforcement to investigate the incident.
The MOVEit breach highlights the ongoing threat posed by zero-day vulnerabilities and underscores the need for organizations to implement a defense-in-depth strategy to mitigate such risks. CMS has apologized for any inconvenience caused by the breach and is taking steps to ensure the security and privacy of affected Medicare beneficiaries.