CMS Notifies Medicare Beneficiaries Potentially Affected by Data Breach

The Situation Report | September 9, 2024

HCA has learned that the Centers for Medicare & Medicaid Services (CMS) and Wisconsin Physicians Service Insurance Corporation (WPS) began notifying people whose protected health information or other personally identifiable information (PII) may have been compromised in connection with Medicare administrative services provided by WPS. WPS is a CMS contractor that handles Medicare Part A/B claims and related services for CMS.

The notification comes following discovery of a security vulnerability in the MOVEit software, a third-party application developed by Progress Software and used by WPS for the transfer of files in providing services to CMS. WPS is among many organizations in the United States that have been impacted by the MOVEit vulnerability. The security incident may have impacted PII of Medicare beneficiaries that was collected in managing Medicare claims as well as PII collected to support CMS audits of healthcare providers that some individuals who are not Medicare beneficiaries have visited to receive health care services.

CMS and WPS are mailing written notifications to 946,801 current people with Medicare whose PII may have been exposed, informing them of the breach and explaining actions being taken in response. CMS is also posting a substitute notice with similar information for those individuals for whom there is insufficient or out-of-date contact information for sending a written notification.

View the full letter here.

If you are impacted by the data breach or use the MOVEit software, please let us know at jvandecarr@hcanys.org. HCA will keep you informed as we learn more.