More than 330,000 Medicare recipients affected by MOVEit breach

In the latest disclosures related to a Russian ransomware gang’s exploitation of the popular MOVEit file transfer service, a federal government agency revealed that more than 330,000 Medicare recipients were affected in a leak of sensitive data.

The U.S. Center for Medicare & Medicaid Services (CMS) provides health coverage to more than 160 million people through Medicare, Medicaid, the Children's Health Insurance Program and the Health Insurance Marketplace.

In a notice on Thursday, the organization said it is sending letters to those who may have been impacted by a breach of the corporate network of Maximus Federal Services — a CMS contractor that used Progress Software’s MOVEit Transfer.

The information accessed includes:

• Names
• Social Security numbers
• Addresses
• Dates of birth
• Phone numbers
• Medicare Beneficiary Identifiers (MBI) or Health
• Insurance Claim Numbers
• Driver’s License Numbers and State Identification
• Numbers
• Medical History/Notes (including medical record/account numbers, conditions, diagnoses, dates of service, images, treatments, etc.)
• Healthcare Provider and Prescription Information
• Health Insurance Claims and Policy/Subscriber Information

“CMS and Maximus Federal Services are notifying people with Medicare whose [personal identifiable information] may have been exposed that they are being offered free-of-charge credit monitoring services for 24 months,” they said.

“This notification also contains information about how impacted individuals can obtain a free credit report, and, for those individuals whose Medicare Beneficiary Identifier number may have been impacted, information on receiving a new Medicare card with a new number.”

CMS provided a sample of the letter, which explains that Maximus “is among many organizations in the United States that have been impacted by the MOVEit vulnerability.”

They reiterated that no CMS systems were compromised and only copies of files that were saved in the Maximus MOVEit application were accessed from May 27 through May 31. Maximus informed CMS of the breach on June 2.

Maximus, an IT firm that also provides services to U.S. student loan servicers and other government programs, confirmed in July that the information of up to 10 million people may have been accessed by hackers exploiting a MOVEit vulnerability in a regulatory filing with the U.S. Securities and Exchange Commission (SEC).

Hundreds of critical organizations across the globe reported widespread theft of data by Clop, a Russian-speaking ransomware gang with a proven track record of exploiting bugs in file transfer software.

More than five months since the vulnerability was announced, companies continue to notify state and federal regulators of breaches related to the incident as investigations continue.

Just last week, the state of Maine confirmed that more than 1.3 million people were affected by the incident because multiple departments used the MOVEit tool.

Security firm Emsisoft estimates that more than 62 million people and 2,000 organizations were affected by the MOVEit breaches. One of the lawyers for a class action suit against Progress Software previously told Recorded Future News that the breach was a “cybersecurity disaster of staggering proportions.”

Progress Software said last month that it is facing 58 class action lawsuits as well as federal, state and international investigations.

Emsisoft threat analyst Brett Callow, a cybersecurity expert who has tracked the MOVEit disclosures for months, said the breach is a prime example of why efforts by U.S. cybersecurity officials to promote the “Secure By Design” initiative — a concept in which cybersecurity is baked into all parts of the technology chain — are “absolutely critical to helping to make organizations less vulnerable.”

“The massive number of victims combined with the sensitivity of the data that was exposed, means this is likely one of the most significant incidents of all time and it illustrates that security can be really hard and that even organizations with mature cybersecurity and robust protocols in place can be blindsided by supply chain attacks,” he said.

“There are lots of takeaways from the incident, but perhaps the most important is that we really need to focus on ensuring that software is more secure. At the end of the day, attacks like those on the MOVEit platform will always be very hard to defend against. The key is ensuring that organizations don’t need to defend against them because the software they’re using is secure.”