Nearly 1 million Medicare beneficiaries have recently learned that their personal information may have been compromised in a data breach last year. This incident comes on the heels of another incident and highlights the ongoing challenges in protecting sensitive health care data and the importance of staying vigilant about your personal information.

GET SECURITY ALERTS, EXPERT TIPS – SIGN UP FOR KURT’S NEWSLETTER – THE CYBERGUY REPORT HERE

Nearly 1 million Medicare beneficiaries face data breach

A total of 946,801 Medicare beneficiaries may have had their personal data exposed due to a security vulnerability. (Kurt "CyberGuy" Knutsson)

The breach: What happened?

The Centers for Medicare & Medicaid Services (CMS) is notifying 946,801 Medicare beneficiaries that their personal data may have been exposed due to a security vulnerability in the MOVEit file transfer software used by Wisconsin Physicians Service Insurance Corp., a CMS contractor.

On July 8, 2024, Wisconsin Physicians Service (WPS) Insurance Corp. informed CMS about a cybersecurity incident involving MOVEit, a file transfer software. This incident compromised files containing protected health information, including Medicare claims data and other personally identifiable information.

The vulnerability in the MOVEit software allowed unauthorized access to personal information between May 27 and May 31, 2023. Progress Software, the developer of MOVEit, discovered and publicly disclosed this vulnerability on May 31, 2023, promptly releasing a software patch to address the issue.

WPS immediately applied the patch and conducted an initial investigation, which did not reveal any evidence of unauthorized file access at that time. However, in May 2024, new information prompted WPS to conduct a more thorough review with the assistance of a third-party cybersecurity firm. This review confirmed that while the vulnerability was successfully patched in early June 2023, an unauthorized third party had copied files from WPS's MOVEit system before the patch was applied.

In coordination with law enforcement, WPS evaluated the impacted files. Initially, the examined portion did not contain personal information. However, on July 8, 2024, WPS discovered that some files in a different portion did contain personal information, leading to the immediate notification of CMS.

As of now, CMS and WPS are not aware of any reports of identity fraud or misuse of personal information resulting directly from this incident. Nevertheless, they are taking proactive measures to notify potentially affected individuals and provide resources to help protect their personal information.

It's important to note that this incident does not affect current Medicare benefits or coverage.

Nearly 1 million Medicare beneficiaries face data breach

The data breach does not affect Medicare benefits or coverage. (Kurt "CyberGuy" Knutsson)

What information was exposed?

The compromised data potentially includes:

  • Names
  • Addresses
  • Birth dates
  • Social Security numbers
  • Medicare Beneficiary Identifiers (MBIs)
  • Hospital account numbers
  • Dates of services

Steps being taken by CMS

The Centers for Medicare & Medicaid Services and Wisconsin Physicians Service Insurance Corp. are taking comprehensive measures to address the data breach and protect affected beneficiaries. They have initiated a process of mailing written notifications to all individuals whose information may have been compromised. These notifications provide detailed information about the breach and offer guidance on protective steps.

In addition to the notifications, CMS and its contractor are offering affected beneficiaries complimentary credit monitoring services for a period of 12 months. This service will help individuals monitor their credit reports for any suspicious activity that could indicate identity theft or fraud.

Furthermore, CMS is taking the proactive step of issuing new Medicare cards to beneficiaries whose Medicare Beneficiary Identifiers (MBIs) were potentially exposed in the breach. These new cards will contain updated MBIs, effectively invalidating the compromised numbers and adding an extra layer of security to beneficiaries' accounts.

To ensure transparency and provide clear guidance, WPS has prepared a comprehensive letter that is being sent to all potentially affected individuals. This letter outlines the nature of the breach, the specific information that may have been compromised, and it details instructions on how to utilize the offered protection services. It also includes contact information for further assistance and answers to frequently asked questions, helping beneficiaries navigate this challenging situation with as much support as possible.

We reached out to CMS for a comment on this article, and a rep provided this statement: "We take the privacy and security of your Medicare information very seriously. CMS and WPS apologize for the inconvenience this incident might have caused you."

Nearly 1 million Medicare beneficiaries face data breach

A person holding an elderly person’s hand (Kurt "CyberGuy" Knutsson)

HACKED, SCAMMED, EXPOSED: WHY YOU'RE ONE STEP AWAY FROM DISASTER ONLINE

What you should do

If you're a Medicare beneficiary, here are some steps you can take to protect yourself:

1) Watch for official communication: CMS will send letters to affected individuals. Be cautious of unsolicited calls or emails claiming to be from Medicare.

2) Monitor your credit: Take advantage of the free credit monitoring services offered if you receive a notification letter.

3) Review your Medicare summary notices: Check for any unfamiliar charges or services.

4) Be alert for scams: Beware of anyone contacting you about needing a new Medicare card. This is likely a scam.

5) Contact Medicare directly: If you're concerned, call 1-800-MEDICARE to ask if your account was involved in any data breaches.

6) Report suspicious activity: If you suspect fraud, contact your state's Senior Medicare Patrol for guidance.

7) Be cautious with digital communications: Don't click on any links or download attachments in unsolicited emails, texts or social media messages claiming to be from Medicare or related to the data breach. These could be phishing attempts to gather more of your personal information. The best way to protect yourself from clicking malicious links is to have antivirus protection installed on all your devices. This can also alert you of any phishing emails or ransomware scams. Get my picks for the best 2024 antivirus protection winners for your Windows, Mac, Android and iOS devices.

8) Use an identity theft protection service: Identity theft companies can monitor personal information like your Social Security Number, phone number and email address and alert you if it is being sold on the dark web or being used to open an account. They can also assist you in freezing your bank and credit card accounts to prevent further unauthorized use by criminals. See my tips and best picks on how to protect yourself from identity theft.

9) Consider using a data removal service: Given that Medicare beneficiary information may be exposed online due to data breaches, consider using a reputable data removal service. These services can help reduce your digital footprint by removing your personal information from various online databases and people-search websites. This can make it more difficult for scammers to find and misuse your information. However, be cautious when selecting such a service and ensure it's legitimate, as some scammers may pose as data removal services to collect more of your personal information. Check out my top picks for data removal services here.

Protecting your Medicare information

To safeguard your Medicare data in the future. Never share your Medicare number with unsolicited callers or emailers. Be cautious about giving personal information over the phone or online. Regularly review your Medicare statements for any unusual activity. Keep your Medicare card in a safe place, just like you would a credit card.

PHARMA GIANT'S DATA BREACH EXPOSES PATIENTS' SENSITIVE INFORMATION

Kurt's key takeaways

While data breaches are unfortunately becoming more common, staying informed and taking proactive steps can help mitigate potential risks. Remember, Medicare will never call you unsolicited to ask for personal information or to issue a new card. If you're ever in doubt, hang up and call Medicare directly using the official number on your card or the Medicare website. By staying vigilant and following these guidelines, you can help protect your personal and health care information from potential misuse.

Given the increasing frequency and scale of data breaches in the health care sector, what additional measures do you think Medicare and its affiliated organizations should implement to better protect beneficiaries' personal information and prevent future security incidents? Let us know by writing us at Cyberguy.com/Contact.

For more of my tech tips and security alerts, subscribe to my free CyberGuy Report Newsletter by heading to Cyberguy.com/Newsletter.

Ask Kurt a question or let us know what stories you'd like us to cover.

Follow Kurt on his social channels:

Answers to the most asked CyberGuy questions:

New from Kurt:

Copyright 2024 CyberGuy.com. All rights reserved.