The Centers for Medicare & Medicaid Services (“CMS”) and its contractor, Wisconsin Physicians Service Insurance Corporation (“WPS”), recently notified over 940,000 Medicare beneficiaries of a data breach that has potentially exposed their protected health information (“PHI”) and personally identifiable information (“PII”). CMS reported on the breach portal of the U.S. Department of Health and Human Services (“HHS”) that the total number of impacted people was 3,112,815 individuals.

Incident Overview

In May 2024, WPS, a contractor that handles Medicare Part A and B claims for beneficiaries in multiple states, identified that unauthorized third parties had accessed sensitive data due to a vulnerability in MOVEit, a third-party file transfer software used by WPS. The breach occurred between May 27 and May 31, 2023, prior to the application of a patch issued by the software developer, Progress Software, on May 31, 2023. While WPS did not observe evidence of data compromise during its initial investigation in 2023, a subsequent review in May 2024 based on new information confirmed that sensitive files containing PHI and PII had been copied.

The compromised information includes the following Medicare beneficiary information: (i) names, (ii) social security numbers or individual taxpayer identification numbers, (iii) dates of birth, (iv) Medicare beneficiary identifiers (“MBIs”) or health insurance claim numbers, (v) hospital account numbers, (vi) dates of service, and (vii) other health-related information.

CMS and WPS Response

In response to the incident, CMS and WPS have initiated a comprehensive investigation involving law enforcement and cybersecurity experts. To mitigate harm, they are: (i) mailing breach notifications to affected Medicare beneficiaries, (ii) offering 12 months of free credit monitoring services through Experian, and (iii) issuing new Medicare cards with updated MBIs for those affected.

CMS has emphasized that the breach does not impact current Medicare benefits or coverage. However, the incident serves as a stark reminder of the vulnerabilities associated with third-party software used in healthcare operations.

Considerations for Healthcare Providers and Organizations

Healthcare providers and organizations that submit Medicare claims or interact with CMS systems may be indirectly affected by this breach, particularly if patient information was compromised during WPS’s processing of Medicare claims. Organizations should be aware of potential risks to patient privacy and identity theft, as well as the legal and regulatory implications surrounding PHI breaches under HIPAA and other applicable laws.

Given the wide-reaching implications of this breach, healthcare organizations should consider taking steps to ensure they are safeguarding against similar incidents, including steps such as the following:

1. Review Vendor Contracts and Security Protocols: Ensure that any third-party vendors handling sensitive information, such as PHI or PII, have strong cybersecurity protocols in place. This includes regular patching of software vulnerabilities and security audits.
2. Conduct Regular Cybersecurity Audits: Periodically audit the organization’s internal systems and any third-party software used in healthcare operations. Identify potential vulnerabilities and implement robust controls to protect patient data.
3. Enhance Incident Response Plans: Review and update the organization’s data breach response plans to ensure prompt detection, reporting, and remediation in the event of a breach. Timely communication with affected individuals and regulatory bodies is critical to mitigating risks.
4. Strengthen Compliance with HIPAA and Other Regulations: Ensure that the organization’s data security practices comply with HIPAA and other applicable privacy laws and regulations. Breaches involving PHI can lead to significant penalties, both financial and reputational.
5. Monitor Patient Communications: As notifications are sent to affected beneficiaries, healthcare providers may be contacted by concerned patients about potential data exposure. Be prepared to guide patients on steps they can take to protect their identities and mitigate potential risks, including enrolling in identity protection services and monitoring their credit reports.

Conclusion and Key Takeaways

The recent CMS and WPS data breach is simply the latest reminder that healthcare organizations must remain vigilant in protecting sensitive patient information from cyber threats. It underscores the importance of implementing stringent data security measures when handling such information. Third-party software vulnerabilities, like the MOVEit incident, can have far-reaching consequences for healthcare organizations, making it essential to (i) regularly patch and update third-party software, (ii) strengthen internal security protocols, (iii) educate staff on data privacy best practices, and (iv) ensure robust incident response strategies are in place. By reviewing current security practices and enhancing incident response plans, healthcare providers can better manage the risks associated with data breaches and ensure compliance with federal and state privacy laws.

Listen to this post