This security incident, impacting WPS and numerous other organizations nationwide, stems from a vulnerability in the MOVEit software developed by Progress Software. The breach potentially compromised the PII of Medicare beneficiaries collected for claims management, as well as data gathered for CMS audits of healthcare providers, which may include individuals who are not Medicare beneficiaries but received care at audited facilities.
CMS and WPS have initiated a comprehensive response, including mailing written notifications to 946,801 current Medicare recipients whose PII may have been exposed. These notifications detail the breach and outline the steps being taken to address it. For individuals with insufficient or outdated contact information, CMS is also issuing a substitute notice to ensure broad awareness of this centers for medicare & medicaid services news.
Below is an example of the notification letter being dispatched by WPS to potentially affected individuals:
Dear [Name]:
We are writing to inform you about a security incident involving your personal information related to Medicare services. This notice comes from the Centers for Medicare & Medicaid Services (CMS), the federal agency overseeing Medicare, and Wisconsin Physicians Service Insurance Corporation (WPS), a CMS contractor managing Medicare claims in your state.
The incident is linked to a vulnerability in MOVEit, a third-party software WPS uses for file transfers during Medicare claims processing. WPS is among many organizations affected by this widespread MOVEit vulnerability.
This letter aims to provide clarity on the incident, explain our response, and guide you on steps to protect your privacy further. We are offering complimentary credit monitoring services and will issue a new Medicare card with a new Medicare Number to you as precautionary measures.
Importantly, your current Medicare benefits and coverage remain unaffected by this incident.
What Happened?
On July 8, 2024, WPS informed CMS of a cybersecurity incident involving MOVEit, where files containing protected health information, including Medicare claims data and personally identifiable information (“Personal Information”), were compromised. Exploitation of the MOVEit software vulnerability occurred between May 27 and May 31, 2023, allowing unauthorized access to Personal Information during file transfers.
Progress Software, MOVEit’s developer, publicly disclosed the vulnerability on May 31, 2023, and released a patch. WPS promptly applied the patch and investigated the potential impact on their systems in 2023. Initial investigations found no evidence of unauthorized file access within the WPS MOVEit application.
However, in May 2024, based on new intelligence, WPS conducted a further review of their MOVEit system with a cybersecurity firm. This review confirmed the successful patching in early June 2023, with no subsequent unauthorized activity. Regrettably, the review also revealed that prior to the patch, unauthorized parties had copied files from WPS’s MOVEit system. Working with law enforcement, initial analysis of some impacted files showed no Personal Information. However, on July 8, 2024, further evaluation of a different set of files revealed the presence of Personal Information, prompting immediate notification to CMS and this current centers for medicare & medicaid services news announcement. We are now notifying you because your Personal Information was among the compromised files.
While CMS and WPS have no evidence of identity fraud or misuse of your Personal Information directly resulting from this incident, we are proactively informing you and providing resources to empower you to take protective measures if desired.
What Information Was Involved?
Our investigation confirmed that your Personal Information was present in the files involved in this incident. The potentially exposed information includes:
- Name
- Social Security Number or Individual Taxpayer Identification Number
- Date of Birth
- Mailing Address
- Gender
- Hospital Account Number
- Dates of Service
- Medicare Beneficiary Identifier (MBI) and/or Health Insurance Claim Number
What Are We Doing?
CMS is actively investigating this incident in close coordination with WPS and is committed to taking all necessary actions to protect entrusted information. This ongoing investigation involves collaboration between CMS, WPS, law enforcement, and cybersecurity experts. This centers for medicare & medicaid services news is part of our commitment to keep you informed and provide resources, as detailed in the “What You Can Do?” section below.
What You Can Do?
- Enroll in Experian Identity Protection Monitoring Services
WPS is offering 12 months of complimentary credit monitoring and identity protection services from Experian. Enrollment is free, requiring no credit card or payment information. Detailed information about these services is enclosed with this notice.
- Obtain a Free Credit Report
Federal law entitles you to a free credit report annually from each of the three major credit bureaus. Request your free reports by calling 1-877-322-8228 or online at www.annualcreditreport.com. Carefully review your credit reports for any unauthorized accounts or inquiries. Verify the accuracy of all information and contact the credit bureau if you find discrepancies or have questions.
The Federal Trade Commission (FTC) recommends periodic credit report reviews, even without known suspicious activity, to promptly identify and address potential issues.
If you detect suspicious activity or believe your information is being misused, file a police report with your local law enforcement and obtain a copy, as it may be required by creditors to resolve fraudulent debts. You can also file a complaint with the FTC online at www.ftc.gov/idtheft, by phone at 1-877-IDTHEFT (1-877-438-4338), or by mail at Federal Trade Commission, Consumer Response Center, 600 Pennsylvania Avenue, NW, Washington, DC 20580. Your complaint will contribute to the FTC’s Identity Theft Data Clearinghouse, accessible to law enforcement. The FTC also provides information on fraud alerts and security freezes.
- Continue to Use Your Existing Medicare Card
Currently, there are no reports of identity fraud or information misuse directly linked to this incident. However, if your MBI was potentially affected, a new Medicare card with a new number will be issued to you by CMS in the coming weeks. Until you receive your new card, continue using your current Medicare card. Upon receiving your new card:
a. Follow the instructions included with your new card.
b. Destroy your old Medicare card securely.
c. Notify your healthcare providers of your new Medicare Number.
For More Information
CMS and WPS understand the importance of your privacy and the security of your Medicare information. We sincerely apologize for any concern or inconvenience this incident may cause.
For further questions regarding this incident, please contact the Experian dedicated toll-free response line at 833-931-5700. Professionals familiar with this incident and protective measures are available Monday through Friday, 8 am – 8 pm Central Time (excluding major U.S. holidays). Please have engagement number B130492 ready.
For general Medicare inquiries, please call 1-800-MEDICARE (1-800-633-4227).
Sincerely,
WPS Medicare Privacy Officer
