CMS: 3.1 Million Individuals Affected by MOVEit Hack in 2023
The U.S. Centers for Medicare and Medicaid Services (CMS) has confirmed that more than 3.1 million individuals were affected by an attack on the MOVEit file transfer solution by the Clop group last year.
In May 2023, the Clop hacking group mass exploited a zero day vulnerability in Progress Software’s MOVEit Transfer tool, which is used by many organizations for transferring large files. More than 2,700 organizations were attacked by the Clop group by exploiting the vulnerability, allowing the group to steal vast amounts of sensitive data. The attacked organizations were issued with ransom demands, payment of which was necessary to prevent the publication of the stolen data.
In early September, the CMS announced that the MOVEit tool was used by Wisconsin Physicians Service, a provider of administrative services to the CMS under the Medicare program. The CMS and Wisconsin Physicians Service said they were notifying 946,801 individuals that their data had been stolen in the attack.
The delay in reporting the breach was due to Wisconsin Physicians Service initially determining that the Clop group had not obtained any data; however, a year after the attack, new evidence came to light prompting a further review of the incident. That review confirmed that the vulnerability was exploited by the Clop group between May 27, 2023, and May 31, 2023, prior to the patch being applied, and that sensitive data was copied by the group.
The stolen data included names along with one or more of the following: Social Security number/individual taxpayer identification number, mailing address, date of birth, gender, hospital account number, date(s) of service, Medicare Beneficiary Identifier (MBI), and/or health insurance claim number.
The data breach was reported to the HHS by the CMS, and while the CMS said 946,801 notifications were sent to individuals currently with Medicare, more than three times as many individuals – 3,112,815 – were affected.
The CMS explained the discrepancy as being due to Wisconsin Physicians Service storing data for many individuals who were deceased and also that data had been collected of individuals who were not Medicare beneficiaries.
