947K Individuals Notified by WPS and CMS About the MOVEit Hack in May 2023

by | Sep 13, 2024

The Wisconsin Physicians Service Insurance Corporation (WPS) and Centers for Medicare & Medicaid Services (CMS) are notifying approximately 947,000 people about the compromise of some of their protected health information (PHI) and personally identifiable information (PII) due to a security breach in May 2023.

WPS handles administrative services for CMS related to Medicare, such as Medicare Part A and B claims. The data breach resulted from exploiting a zero-day vulnerability in Progress Software’s MOVEIT file transfer software, which WPS uses to transfer files as it performs its services to CMS.

Progress Software identified the vulnerability and released a patch on May 31, 2023. However, before the patch, the Cl0p ransomware group already exploited the vulnerability, stealing data from MOVEit users in what became the largest hacking incident of 2023. As per cybersecurity firm Emsisoft, which monitors breach reports, the cyberattack impacted more than 2,700 organizations, resulting in the theft of the data of about 96 million people. The hardest-hit companies included Delta Dental of California and its affiliates (6.9 million), Welltok (10 million), and Maximus (11.3 million records). The education and healthcare industries were most impacted, representing 39% and 20% of affected organizations, respectively.

CMS already reported to the HHS’ Office for Civil Rights (OCR) that the data of 2.34 million individuals were affected by the MOVEit breach through Maximus, its service provider. This new report about WPS is different from the Maximus incident. Although the breach affecting WPS is not yet posted on the OCR breach portal, CMS and WPS have stated they are notifying 946,801 impacted individuals.

The notification letters mentioned that Progress Software notified WPS concerning the vulnerability on May 31, 2024. WPS implemented the software patch to take care of the vulnerability and started an investigation to find out whether the vulnerability was already exploited. In the WPS 2023 investigation, there was no evidence found that suggested the theft of files by the Cl0p group from its MOVEit application.

However, in May 2024, one year after identifying and patching the vulnerability, new information prompted an additional review by WPS of the MOVEit system. Through the help of a third-party cybersecurity company, the successful patching of the vulnerability in early June 2024 was confirmed. Furthermore, no unauthorized activity inside its MOVEit application was detected after the application of the patch.

Then again, in 2024, the investigation found information about the vulnerability exploitation by the Cl0p group from May 27, 2023 to May 31, 2023. Before applying the patch, the threat actor extracted the files from WPS’s MOVEit software program. WPS reviewed a part of the compromised data files and did not find any personal data. On July 8, 2024, while reviewing another set of files, WPS discovered some personal data and advised CMS concerning this discovery.

The compromised data included the names of Medicare beneficiaries together with at least one of the following: Social Security number or individual taxpayer ID number, birth date, gender, mailing address, hospital account number, dates of service, medical insurance claim number, and Medicare Beneficiary Identifier (MBI). The investigation of the breach is not yet complete; law enforcement officials and cybersecurity professionals reinforced the protection of sensitive data. HIPAA training would likely be required for covered entities to ensure the protection of PHI. Impacted individuals were provided free credit monitoring and related services for one year.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

COMPREHENSIVE HIPAA TRAINING

Please enable JavaScript in your browser to complete this form.

Ryan Coyne

Ryan Coyne is a results-driven leader in the healthcare compliance industry, specializing in regulatory compliance, compliance training, and assisting healthcare organizations and business associates in achieving and maintaining compliance. With a deep knowledge of healthcare regulations and a keen understanding of the challenges faced by the industry, Ryan has developed a reputation as a trusted advisor and advocate for ethical and compliant practices in healthcare. Ryan has successfully advised and guided numerous healthcare organizations, business associates, and healthcare professionals on achieving and maintaining compliance with regulatory training requirements. Ryan's professional focus is using his in-depth expertise and leading a world class team of subject matter experts at ComplianceJunction in regulatory compliance to help organisations navigate the complex landscape of ensuring staff adhere to healthcare regulations. You can connect with Ryan via LinkedIn and follow on Twitter

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy