CMS: 3.1 Million Individuals Affected by MOVEit Hack in 2023

The U.S. Centers for Medicare and Medicaid Services (CMS) has confirmed that more than 3.1 million individuals were affected by an attack on the MOVEit file transfer solution by the Clop group last year.

In May 2023, the Clop hacking group mass exploited a zero day vulnerability in Progress Software’s MOVEit Transfer tool, which is used by many organizations for transferring large files. More than 2,700 organizations were attacked by the Clop group by exploiting the vulnerability, allowing the group to steal vast amounts of sensitive data. The attacked organizations were issued with ransom demands, payment of which was necessary to prevent the publication of the stolen data.

In early September, the CMS announced that the MOVEit tool was used by Wisconsin Physicians Service, a provider of administrative services to the CMS under the Medicare program. The CMS and Wisconsin Physicians Service said they were notifying 946,801 individuals that their data had been stolen in the attack.

The delay in reporting the breach was due to Wisconsin Physicians Service initially determining that the Clop group had not obtained any data; however, a year after the attack, new evidence came to light prompting a further review of the incident. That review confirmed that the vulnerability was exploited by the Clop group between May 27, 2023, and May 31, 2023, prior to the patch being applied, and that sensitive data was copied by the group.

The stolen data included names along with one or more of the following: Social Security number/individual taxpayer identification number, mailing address, date of birth, gender, hospital account number, date(s) of service, Medicare Beneficiary Identifier (MBI), and/or health insurance claim number.

The data breach was reported to the HHS by the CMS, and while the CMS said 946,801 notifications were sent to individuals currently with Medicare, more than three times as many individuals – 3,112,815 – were affected.

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

Download Free Checklist

The CMS explained the discrepancy as being due to Wisconsin Physicians Service storing data for many individuals who were deceased and also that data had been collected of individuals who were not Medicare beneficiaries.

About Liam Johnson

Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/