Tech & Innovation in Healthcare

Technology & Innovation:

CMS Notifies Beneficiaries of a Security Vulnerability

Question: Why does it seem that only private payers are victims of data breaches? Do government payers ever experience cyberattacks?

Washington Subscriber

Answer: You are correct in that it seems that only private payers and clearinghouses experience data breaches. Reports of these attacks lead news coverage and cover the front pages because of the targets and the number of people affected. However, government payers also fall victim to the security breaches.

For example, on Sept. 6, 2024, the Centers of Medicare & Medicaid Services (CMS) and Wisconsin Physician Service Insurance Corporation (WPS) announced that the organizations have started informing people that their protected health information (PHI) or personally identifiable information (PII) may have been acquired by unauthorized attackers in a data breach.

CMS and WPS have been mailing notifications to more than 946,000 Medicare recipients to alert them to the breach and keep them apprised of the actions being taken.

According to a CMS Press Release, the breach’s announcement follows “discovery of a security vulnerability in the MOVEit software, a third-party application developed by Progress Software and used by WPS for the transfer of files in providing services to CMS.”

An unauthorized third party exploited the MOVEit security hole between May 27 and May 31, 2023. Progress Software found and revealed information of the vulnerability on May 31, 2023, and released a software patch the same day. The company performed an investigation into the vulnerability, but didn’t find any evidence of compromised PHI or PII in 2023.

However, in May 2024, WPS conducted another review of the MOVEit software with help from a third-party cybersecurity firm. Progress Software began the additional review after receiving new information regarding the security vulnerability. The company found the June 2023 patch was successful, but it also discovered a malicious actor copied files from the file transfer system. On July 8, 2024, Progress Software concluded that some of the files copied contained personal information.

According to CMS, the personal information compromised includes:

  • “Name
  • Social Security number or individual taxpayer identification number
  • Date of birth
  • Mailing address
  • Gender
  • Hospital account number
  • Dates of service
  • Medicare Beneficiary Identifier (MBI) and/or Health Insurance Claim Number.”

Mike Shaughnessy, BA, CPC, Development Editor I, AAPC