More than 3 million Medicare users had information leaked in MOVEit breach

Updated Sept. 10 to reflect new information from CMS and WPS reflecting increases in the number of people affected and the number of states impacted.

Sensitive information belonging to 3.1 million people across several states was breached during the cybercriminal campaign last year that targeted the popular MOVEit file transfer service.

The Centers for Medicare & Medicaid Services (CMS) — the federal agency that manages the Medicare program — and the Wisconsin Physicians Service Insurance Corporation (WPS) said on Friday that they have begun notifying people whose personal information leaked after hackers exploited a vulnerability in the MOVEit software.

According to the release, 946,801 people are being sent notices explaining that their names, Social Security numbers, birthdays, addresses, Medicare account numbers, health insurance information and more were leaked.

But a CMS spokesperson told Recorded Future News that the total number of people affected is actually much larger at 3.1 million, including “an estimated 1.9 million non-Medicare individuals, and an estimated 1.2 million people with Medicare, of whom approximately 247,000 are now deceased, and 946,801 living.”

WPS also contacted Recorded Future News to say that despite its name, it processes Medicare claims in six states: Illinois, Iowa, Kansas, Michigan, Missouri and Nebraska. “But beneficiaries elsewhere could be affected if they used providers in those states,” a WPS spokesperson said. 

“No files or information related to any of WPS’ other lines of business were impacted in this event; no files relating to WPS’ commercial insurance lines of business, including Medicare supplement insurance, or other federal and state contract work were involved.”

CMS said on Friday that it will send victims new Medicare cards in the coming weeks. After getting the new card, those affected were asked to destroy their old ones and inform their providers that they have a new Medicare number.

The letters explain that when the original attacks were announced in May 2023, WPS — which is the Wisconsin state contractor that handles Medicare claims and other services — applied the patch for the MOVEit vulnerability and did not find evidence that their systems were accessed by the hackers. 

But “acting on new information,” in May 2024 WPS conducted another investigation of its MOVEit file transfer system with an unnamed cybersecurity company. They confirmed that before WPS had applied the patch hackers copied files from their system.

In July, WPS notified CMS that files containing personal information had been accessed between May 27 and May 31, 2023. 

The stolen data was collected while WPS was managing Medicare claims and auditing healthcare providers, and the contractor used MOVEit to send the files to CMS.

In addition to the letters being sent out, CMS is posting a notice on its website for people whose up-to-date contact information they could not find. 

The federal agency said it is still investigating the incident and is working with law enforcement on the effort. 

They urged victims to sign up for the one year of free credit monitoring services and to generally watch their accounts for fraudulent activity. 

The campaign against MOVEit is considered by some experts to be one of the largest data breaches ever, with cybersecurity firm Emsisoft estimating that 2,773 organizations were impacted by the attacks on MOVEit. The records of nearly 96 million people were exposed and stolen by the group behind the exploitation. 

The incident caused international outrage as dozens of government agencies, Fortune 500 companies and more confirmed that troves of data had been stolen by hackers connected to the Clop ransomware gang.

The gang is estimated to have earned anywhere from $75 million to $100 million just from ransoms during the MOVEit campaign.

Last month, the Securities and Exchange Commission said it would not pursue enforcement action against the company behind MOVEit — Progress Software — but it is still facing approximately 144 class action lawsuits and several insurance claims, as well as other state, federal and international investigations.

CMS — which provides health coverage to more than 160 million people through Medicare, Medicaid, the Children's Health Insurance Program and the Health Insurance Marketplace — previously said last November that 330,000 Medicare recipients were impacted when the Clop hackers breached the MOVEit system used by a contractor.