CMS notifies 946K individuals of third-party data breach

CMS notified more than 946,000 individuals of a third-party data breach that potentially exposed the protected health information or other personally identifiable information of Medicare beneficiaries.

Wisconsin Physicians Service Insurance Corporation (WPS), a CMS contractor that handles Medicare Part A/B claims, notified CMS of the breach in July 2024. However, the breach occurred in May 2023, when threat actors exploited vulnerabilities in Progress Software's MOVEit managed file transfer software.

As previously reported, Clop ransomware discovered a previously unknown SQL injection flaw in the MOVEit software, allowing them to access data from MOVEit databases between May 27 and May 31, 2023.

Progress Software disclosed the vulnerability and issued a software patch on May 31, but the threat actors had already facilitated data breaches at numerous organizations across healthcare and other sectors.

According to CMS, WPS had applied the patch in May 2023 and had investigated its own systems at the time of the widespread hack, but did not find any evidence that the vulnerability was exploited on its systems.

However, WPS acted on new information in May 2024 and determined that before Progress Software deployed the patch, an unauthorized actor had in fact gained access to WPS' MOVEit file transfer system and copied files.

"In coordination with law enforcement, WPS evaluated some of those impacted files. That portion of impacted files did not contain any Personal Information," the CMS notice stated.

"On July 8, 2024, when evaluating a different portion of the impacted files, WPS determined that some of the files contained Personal Information, at which point it informed CMS."

The information involved potentially included names, Social Security numbers, Medicare beneficiary numbers, dates of service, hospital account numbers, mailing addresses, gender and dates of birth.

CMS said it would continue working with WPS, cybersecurity forensic consultants and law enforcement to investigate the incident.

To Akhil Mittal, senior manager of cybersecurity strategy and solutions at Synopsys Software Integrity Group, the CMS breach further stressed the importance of third-party risk management.

"One of the biggest takeaways here is that security teams can't just focus on patching after the fact. Vendor systems should be treated as part of your own network, with continuous risk assessments, stricter security controls, and holding vendors accountable through stronger contracts," Mittal noted.

"It's not just about ticking compliance boxes anymore, security needs to be embedded at every stage of the supply chain."

Jill McKeon has covered healthcare cybersecurity and privacy news since 2021.