Dive Brief:
- The sensitive personal and health information of approximately 612,000 Medicare beneficiaries was exposed as part of the MoveIT transfer service breaches, according to the CMS.
- A Medicare contractor, Maximus Federal Services, was hit by the sweeping breach, which compromised a security vulnerability in MoveIt, in May. The CMS said no HHS or CMS systems were impacted.
- Maximus, which contracts with federal and state governments on programs like Medicare and Medicaid, disclosed last week the personal and protected health information of as many as 11 million individuals could be compromised because of its breach.
Dive Insight:
Maximus, which contracts with the government on file transfer during the Medicare appeals process, is one of hundreds of organizations that’s been impacted by the MoveIt vulnerability.
MoveIt — a file-transfer service that’s used by many government agencies and highly regulated companies — was hit by a cyberattack in May that’s since reverberated across industries.
Maximus informed CMS of the incident in early June, which could have affected a range of personal and medical information of Medicare beneficiaries, like names, Social Security numbers and medical histories, including diagnoses.
The CMS said it and Maximus are notifying individuals who might have been impacted.
The Russia-linked Clop crime group, which has a history of targeting healthcare organization, has taken responsibility for the attack. In February, the HHS warned that Clop was responsible for recent breaches at healthcare organizations, including Tennessee-based Community Health Systems.
The breach has affected more than 500 organizations so far, exposing the data of almost 37 million people has been exposed, according to cybersecurity firm Emsisoft
Hacking incidents at healthcare companies have been increasing as more hospitals and payers invest in and adopt digital tools, but not heightened cybersecurity protocols. Along with healthcare companies, their third-party vendors can be a common source of breaches.
From 2010 to 2022, 385 million patient records were exposed due to breaches, according to federal records.
Earlier this month, for-profit hospital giant HCA reported a data security incident that could have affected the data of more than 11 million patients.