Cyberhack Exposes Data on 600,000-Plus Medicare Beneficiaries

Other organizations compromised by the recent hack include Louisiana’s Office of Motor Vehicles, Oregon’s driver’s license database, Siemens Energy, UCLA and British Airways.

“I don’t think we’ve gotten to the end of this rope yet,” says James E. Lee, chief operating officer at the nonprofit Identity Theft Resource Center (ITRC) in San Diego, which educates consumers on the risks of identity theft. “Our information is in so many different places, it’s hard for an individual to keep track of where it is.”

Alarming as it is, the MOVEit hack is merely one of 1,587 data breaches reported by the ITRC so far this year, which by the end of 2023 could put it well in range of the all-time high of 1,862 breaches in 2021.

What you can do

Here are some steps to take if you believe you’re affected by the breach.

1. Enroll in Experian identity and credit monitoring services. Maximus is offering two years of free credit monitoring and other services from Experian. The Maximus/CMS letter says you don’t need to use your credit card or any other form of payment to receive these services.

2. Obtain a free credit report. Under federal law, you’re entitled to one free credit report from one of the three major nationwide credit reporting agencies, Equifax, Experian and TransUnion every 12 months.

You can request a report by calling 1-877-322-8228 or by visiting www.annualcreditreport.com. Review them for any problems. Look out for accounts you didn’t open or inquiries from creditors you didn’t authorize. Contact the agency to report any errors.  

3. Review your credit reports periodically. Don’t wait for a well-publicized incident. This is prudent advice even if suspicious activity isn’t suspected.  

4. Contact law enforcement. If you uncover something suspicious, get in touch with local law enforcement and file a police report.  

5. Complain to the FTC. You can add your complaint to the Federal Trade Commission’s Identity Theft Data Clearinghouse, a repository that law enforcement can access. Reach out via email at www.ftc.gov/idtheft, call 1-877-438-4338 or write to Federal Trade Commission, Consumer Response Center, 600 Pennsylvania Ave NW, Washington, DC 20580.

6. Continue to use your current Medicare card. CMS says it isn’t aware of any identity fraud or other improper use of your information because of the breach. Even so, if your Medicare Beneficiary Identifier (MBI) was affected, you’ll receive a new number but it’s your responsibility to notify your providers of the change.

“I know it’s going to be a hassle,” Lee of ITRC says. “But that’s important because if the bad guys go to utilize that [old] number in any way, they’re not going to be able to use the benefit that you [are] rightfully the owner of.”

7. Ask how companies and organizations are going to use your information. “That’s one of the things we should do that we’re probably not doing,” Lee says, suggesting you ask the company if it needs your information and, if so, what it will do with it and how it will protect it?

8. Freeze your credit. Don’t just monitor it, freeze it, Lee says.

9. Choose unique passwords. Don’t use the same or similar passwords across all accounts, security experts say. For an extra layer of protection, employ a secondary form of validation, preferably with an app, but sometimes via phone or some other device. This is known as multifactor authentication.

Medicare beneficiaries: Review your Medicare Summary Notice, the quarterly statement of Medicare charges, for any suspicious activity. You should also check your online Medicare account. You can report potential Medicare fraud to 800-Medicare or contact your state’s Senior Medicare Patrol.