AARP Hearing Center
A far-reaching data breach by a government contractor has put Social Security numbers, birth dates, driver’s license numbers, health insurance claims, medical history notes, prescription information and other personally identifiable information of 612,000 Medicare beneficiaries at risk. The Centers for Medicare & Medicaid Services (CMS), the federal agency that manages Medicare, as well as the contractor in question, Maximus Federal Services, have begun sending apology letters to individuals whose data may have been impacted by the May 2023 security breach.
What happened?
On May 30, Maximus detected “unusual activity” in a file transfer application used by commercial and government customers worldwide called MOVEit, which it shut down the next day following an investigation. That’s also when the application’s provider, Progress Software Corporation, disclosed a vulnerability in the program that “had allowed an unauthorized party to gain access to files across many organizations in both the government and private sectors.” CMS was notified on June 2.
What information is involved?
According to the Centers for Medicare & Medicaid Services, PII at risk includes:
- Name
- Social Security Number or Individual Taxpayer Identification Number
- Date of Birth
- Mailing Address
- Telephone Number, Fax Number and Email Address
- Medicare Beneficiary Identifier (MBI) or Health Insurance Claim Number (HICN)
- Driver’s License Number and State Identification Number
- Medical History/Notes (including medical record/account numbers, conditions, diagnoses, dates of service, images, treatments, etc.)
- Health Care Provider and Prescription Information
- Health Insurance Claims and Policy/Subscriber Information
- Health Benefits and Enrollment Information
It gets worse
In an 8-K filing with the Securities and Exchange Commission on July 26, Maximus estimated the cost of the investigation and “remediation activities” thus far has been approximately $15 million, though the investigation is ongoing. Moreover, Maximus says files impacted by the cybersecurity hack contain Social Security numbers and protected health information “of at least 8 to 11 million people” whom the company anticipates having to notify.
More From AARP
FTC Probes ChatGPT Over Concerns About Your Privacy
Feds want to know how parent OpenAI handles user data
In ‘Do Me a Favor’ Scams, a Criminal Pretends to Be Your Pal
An increasingly common scheme involves impostors claiming to need help buying gift cards
How to reduce ways your devices can track your location
Your smartphone is tracking you - and some of the information it gathers can put you at risk. Find out how to limit the data your device is collecting.