WASHINGTON—The Department of Health and Human Services (HHS) and the Centers for Medicare & Medicaid Services (CMS) have responded to a May 2023 data breach in Progress Software’s MOVEit Transfer software on the corporate network of Maximus Federal Services, Inc. (Maximus), a contractor to the Medicare program, that involved Medicare beneficiaries’ personally identifiable information (PII) and/or protected health information (PHI). No HHS or CMS systems were impacted. Maximus is among the many organizations in the United States that have been impacted by the MOVEit vulnerability. This week, CMS and Maximus are sending letters to individuals who may have been impacted notifying them of the breach and explaining actions being taken in response. CMS estimates the MOVEit breach impacted approximately 612,000 current Medicare beneficiaries.
CMS and Maximus are notifying Medicare beneficiaries whose PII and/or PHI may have been exposed that they are being offered free-of-charge credit monitoring services for 24 months. This notification also contains information about how impacted individuals can obtain a free credit report, and, for those beneficiaries whose Medicare Beneficiary Identifier number may have been impacted, information on receiving a new Medicare card with a new number.
Below is a sample of the letter being sent to those who are potentially affected:
Dear <<Name 1>>
The Centers for Medicare & Medicaid Services (CMS), the federal agency that manages the Medicare program, and Maximus Federal Services, Inc. (Maximus), are writing to inform you of an incident involving your personal information related to services provided by Maximus. Maximus is a CMS contractor that provides appeals services in support of the Medicare program.
The incident involved a security vulnerability in the MOVEit software, a third-party application which allows for the transfer of files during the Medicare appeals process. Maximus is among the many organizations in the United States that have been impacted by the MOVEit vulnerability.
We are sending you this letter so that you can understand more about this incident, how we are addressing it, and additional steps you can take to further protect your privacy. We are providing information with this notice on free credit monitoring services and, if your Medicare Beneficiary Identifier (MBI) was impacted, will be giving you a new Medicare card with a new Medicare Number. This does not impact your current Medicare benefits or coverage.
Our understanding is as follows: On May 30, 2023, Maximus detected unusual activity in its MOVEit application. Maximus began to investigate and stopped all use of the MOVEit application early on May 31, 2023. Later that same day, the third-party application provider, Progress Software Corporation, announced that a vulnerability in its MOVEit software had allowed an unauthorized party to gain access to files across many organizations in both the government and private sectors.
Maximus notified CMS of the incident on June 2, 2023. To date, the ongoing investigation indicates that on approximately May 27 through 31, 2023, the unauthorized party obtained copies of files that were saved in the Maximus MOVEit application, but that no CMS system has been compromised. After notifying CMS, Maximus then began to analyze the files to determine which data had been affected. As part of that analysis, it was determined that those files contained some of your personal information.
What Information Was Involved?
We have determined that your personal and Medicare information was involved in this incident. This information may have included the following:
- Social Security Number or Individual Taxpayer Identification Number
- Date of Birth
- Mailing Address
- Telephone Number, Fax Number, & Email Address
- Medicare Beneficiary Identifier (MBI) or Health Insurance Claim Number (HICN)
- Driver’s License Number and State Identification Number
- Medical History/Notes (including medical record/account numbers, conditions, diagnoses, dates of service, images, treatments, etc.)
- Healthcare Provider and Prescription Information
- Health Insurance Claims and Policy/Subscriber Information
- Health Benefits & Enrollment Information
What Are We Doing?
When the incident was discovered, Maximus began an investigation, took the MOVEit application offline, applied MOVEit software patches, and notified law enforcement. CMS is continuing to investigate this incident in coordination with Maximus and will take all appropriate actions to safeguard the information entrusted to CMS.
What Can You Do?
- Enroll in Experian Identity and Credit Monitoring Services
Maximus is offering a complimentary 24 months of credit monitoring and other services from Experian at no cost to you. You do not need to use your credit card or any other form of payment to enroll in the service.
Please see Attachment #1 for information on how to utilize your free Experian Services.
- Obtain a Free Credit Report
Under federal law, you are entitled to one free credit report every 12 months from each of the three major nationwide credit reporting companies listed above. Call 1-877-322-8228 or request your free credit reports online at www.annualcreditreport.com. When you receive your credit reports, review them for problems. Identify any accounts you didn’t open or inquiries from creditors that you did not authorize. Verify all information is correct. If you have questions or notice incorrect information, contact the credit reporting company.
Even if you don’t find any suspicious activity on your initial credit reports, the Federal Trade Commission (FTC) recommends that you still check your credit reports periodically. Checking your credit report periodically can help you spot problems and address them quickly.
If you find suspicious activity on your credit reports or have reason to believe your information is being misused, call your local law enforcement agency and file a police report. Be sure to obtain a copy of the police report, as many creditors will want the information it contains to absolve you of the fraudulent debts. You may also file a complaint with the FTC by contacting them on the web at www.ftc.gov/idtheft, by phone at 1-877-IDTHEFT (1-877-438-4338), or by mail at Federal Trade Commission, Consumer Response Center, 600 Pennsylvania Avenue, NW, Washington, DC 20580. Your complaint will be added to the FTC’s Identity Theft Data Clearinghouse, where it will be accessible to law enforcement for their investigations. In addition, you may obtain information from the FTC about fraud alerts and security freezes.
Please see Attachment #2 for additional steps you can take to protect your information.
- Continue to Use Your Existing Medicare Card
At this time, we are not aware of any reports of identity fraud or improper use of your information as a direct result of this incident. However, if your MBI was impacted, a new Medicare card with a new number will be issued to you. CMS will mail the new card to your address in the coming weeks. In the meantime, you can continue to use your existing Medicare card. After you get your new card, you should:
- Follow the instructions in the letter that comes with your new card.
- Destroy your old Medicare card.
- Inform your providers that you have a new Medicare Number.
For More Information
We take the privacy and security of your Medicare information very seriously. CMS and Maximus apologize for the inconvenience this privacy incident might have caused you.
If you have any further questions regarding this incident, please call the Experian dedicated and confidential toll-free response line at xxx-xxx-xxxx. This response line is staffed with professionals familiar with this incident who know what you can do to protect against misuse of your information. The response line is available Monday through Friday from 8 am – 10 pm Central, or Saturday and Sunday from 10 am – 7 pm Central (excluding major U.S. holidays).
You can also call 1-800-MEDICARE (1-800-633-4227) with any general questions or concerns about Medicare.