The Wisconsin Physicians Service Insurance Corporation (WPS) and Centers for Medicare & Medicaid Services (CMS) are notifying approximately 947,000 people about the compromise of some of their protected health information (PHI) and personally identifiable information (PII) due to a security breach in May 2023.
WPS handles administrative services for CMS related to Medicare, such as Medicare Part A and B claims. The data breach resulted from exploiting a zero-day vulnerability in Progress Software’s MOVEIT file transfer software, which WPS uses to transfer files as it performs its services to CMS.
Progress Software identified the vulnerability and released a patch on May 31, 2023. However, before the patch, the Cl0p ransomware group already exploited the vulnerability, stealing data from MOVEit users in what became the largest hacking incident of 2023. As per cybersecurity firm Emsisoft, which monitors breach reports, the cyberattack impacted more than 2,700 organizations, resulting in the theft of the data of about 96 million people. The hardest-hit companies included Delta Dental of California and its affiliates (6.9 million), Welltok (10 million), and Maximus (11.3 million records). The education and healthcare industries were most impacted, representing 39% and 20% of affected organizations, respectively.
CMS already reported to the HHS’ Office for Civil Rights (OCR) that the data of 2.34 million individuals were affected by the MOVEit breach through Maximus, its service provider. This new report about WPS is different from the Maximus incident. Although the breach affecting WPS is not yet posted on the OCR breach portal, CMS and WPS have stated they are notifying 946,801 impacted individuals.
The notification letters mentioned that Progress Software notified WPS concerning the vulnerability on May 31, 2024. WPS implemented the software patch to take care of the vulnerability and started an investigation to find out whether the vulnerability was already exploited. In the WPS 2023 investigation, there was no evidence found that suggested the theft of files by the Cl0p group from its MOVEit application.
However, in May 2024, one year after identifying and patching the vulnerability, new information prompted an additional review by WPS of the MOVEit system. Through the help of a third-party cybersecurity company, the successful patching of the vulnerability in early June 2024 was confirmed. Furthermore, no unauthorized activity inside its MOVEit application was detected after the application of the patch.
Then again, in 2024, the investigation found information about the vulnerability exploitation by the Cl0p group from May 27, 2023 to May 31, 2023. Before applying the patch, the threat actor extracted the files from WPS’s MOVEit software program. WPS reviewed a part of the compromised data files and did not find any personal data. On July 8, 2024, while reviewing another set of files, WPS discovered some personal data and advised CMS concerning this discovery.
The compromised data included the names of Medicare beneficiaries together with at least one of the following: Social Security number or individual taxpayer ID number, birth date, gender, mailing address, hospital account number, dates of service, medical insurance claim number, and Medicare Beneficiary Identifier (MBI). The investigation of the breach is not yet complete; law enforcement officials and cybersecurity professionals reinforced the protection of sensitive data. HIPAA training would likely be required for covered entities to ensure the protection of PHI. Impacted individuals were provided free credit monitoring and related services for one year.