Nearly 1 million Medicare beneficiaries face data breach

Nearly one million Medicare beneficiaries have recently learned that their personal information may have been compromised in a data breach last year. This incident comes on the heels of another incident …. and highlights the ongoing challenges in protecting sensitive healthcare data and the importance of staying vigilant about your personal information.

GET SECURITY ALERTS, EXPERT TIPS – SIGN UP FOR KURT’S NEWSLETTER – THE CYBERGUY REPORT HERE

The breach: What happened?

The Centers for Medicare & Medicaid Services (CMS) is notifying 946,801 Medicare beneficiaries that their personal data may have been exposed due to a security vulnerability in the MOVEit file transfer software used by Wisconsin Physicians Service Insurance Corp., a CMS contractor.

On July 8, 2024, Wisconsin Physicians Service Insurance Corp. (WPS) informed the Centers for Medicare & Medicaid Services (CMS) about a cybersecurity incident involving MOVEit, a file transfer software. This incident compromised files containing protected health information, including Medicare claims data and other personally identifiable information.

The vulnerability in the MOVEit software allowed unauthorized access to personal information between May 27 and May 31, 2023. Progress Software, the developer of MOVEit, discovered and publicly disclosed this vulnerability on May 31, 2023, promptly releasing a software patch to address the issue.

WPS immediately applied the patch and conducted an initial investigation, which did not reveal any evidence of unauthorized file access at that time. However, in May 2024, new information prompted WPS to conduct a more thorough review with the assistance of a third-party cybersecurity firm. This review confirmed that while the vulnerability was successfully patched in early June 2023, an unauthorized third party had copied files from WPS’s MOVEit system before the patch was applied.

In coordination with law enforcement, WPS evaluated the impacted files. Initially, the examined portion did not contain personal information. However, on July 8, 2024, WPS discovered that some files in a different portion did contain personal information, leading to the immediate notification of CMS.

As of now, CMS and WPS are not aware of any reports of identity fraud or misuse of personal information resulting directly from this incident. Nevertheless, they are taking proactive measures to notify potentially affected individuals and provide resources to help protect their personal information.

It’s important to note that this incident does not affect current Medicare benefits or coverage.

What information was exposed?

The compromised data potentially includes:

• Names
• Addresses
• Birth dates
• Social Security numbers
• Medicare Beneficiary Identifiers (MBIs)
• Hospital account numbers
• Dates of services

Steps being taken by CMS

The Centers for Medicare & Medicaid Services (CMS) and Wisconsin Physicians Service Insurance Corp. are taking comprehensive measures to address the data breach and protect affected beneficiaries. They have initiated a process of mailing written notifications to all individuals whose information may have been compromised. These notifications provide detailed information about the breach and offer guidance on protective steps.

In addition to the notifications, CMS and its contractor are offering affected beneficiaries complimentary credit monitoring services for a period of 12 months. This service will help individuals monitor their credit reports for any suspicious activity that could indicate identity theft or fraud.

Furthermore, CMS is taking the proactive step of issuing new Medicare cards to beneficiaries whose Medicare Beneficiary Identifiers (MBIs) were potentially exposed in the breach. These new cards will contain updated MBIs, effectively invalidating the compromised numbers and adding an extra layer of security to beneficiaries’ accounts.

To ensure transparency and provide clear guidance, WPS has prepared a comprehensive letter that is being sent to all potentially affected individuals. This letter outlines the nature of the breach, the specific information that may have been compromised, and detailed instructions on how to utilize the offered protection services. It also includes contact information for further assistance and answers to frequently asked questions, helping beneficiaries navigate this challenging situation with as much support as possible.

We reached out to CMS for a comment on this article, and a rep provided this statement,

We take the privacy and security of your Medicare information very seriously. CMS and WPS apologize for the inconvenience this incident might have caused you.

HACKED, SCAMMED, EXPOSED: WHY YOU’RE ONE STEP AWAY FROM DISASTER ONLINE

What you should do

If you’re a Medicare beneficiary, here are some steps you can take to protect yourself:

1) Watch for official communication: CMS will send letters to affected individuals. Be cautious of unsolicited calls or emails claiming to be from Medicare.

2) Monitor your credit: Take advantage of the free credit monitoring services offered if you receive a notification letter.

3) Review your Medicare summary notices: Check for any unfamiliar charges or services.

4) Be alert for scams: Beware of anyone contacting you about needing a new Medicare card. This is likely a scam.

5) Contact Medicare directly: If you’re concerned, call 1-800-MEDICARE to ask if your account was involved in any data breaches.

6) Report suspicious activity: If you suspect fraud, contact your state’s Senior Medicare Patrol for guidance.

7) Be cautious with digital communications: Don’t click on any links or download attachments in unsolicited emails, texts, or social media messages claiming to be from Medicare or related to the data breach. These could be phishing attempts to gather more of your personal information. The best way to protect yourself from clicking malicious links is to have antivirus protection installed on all your devices. This can also alert you of any phishing emails or ransomware scams. 

My top pick is TotalAV, and you can get a limited-time deal for CyberGuy readers: $19 your first year (80% off) for the TotalAV Antivirus Pro package.  

Get my picks for the best 2024 antivirus protection winners for your Windows, Mac, Android & iOS devices.

Best Antivirus Protection 2024

8) Use an identity theft protection service: Identity Theft companies can monitor personal information like your Social Security Number (SSN), phone number, and email address and alert you if it is being sold on the dark web or being used to open an account.  They can also assist you in freezing your bank and credit card accounts to prevent further unauthorized use by criminals.

My top recommendation is Identity Guard. One of the best parts of using Identity Guard is that they might include identity theft insurance of up to 1 million dollars to cover losses and legal fees and a white glove fraud resolution team where a US-based case manager helps you recover any losses.

CyberGuy’s Exclusive Offer (Save 52%): Get the Identity Guard Ultra protection to protect your identity and credit for as little as $9.99/mo (lowest offered anywhere) for the first year. 

See my tips and best picks on how to protect yourself from identity theft.

Best identity theft protection services 2024

9) Consider using a data removal service: Given that Medicare beneficiary information may be exposed online due to data breaches, consider using a reputable data removal service. These services can help reduce your digital footprint by removing your personal information from various online databases and people-search websites. This can make it more difficult for scammers to find and misuse your information. However, be cautious when selecting such a service and ensure it’s legitimate, as some scammers may pose as data removal services to collect more of your personal information.

A service like Incogni can help you remove all this personal information from the internet. It has a very clean interface and will scan websites for your information and remove it and keep it removed.

Special for CyberGuy Readers (60% off):  Incogni offers A 30-day money-back guarantee and then charges a special CyberGuy discount only through the links in this article of $5.99/month for one person (billed annually) or $13.19/month for your family (up to 4 people) on their annual plan and get a fully automated data removal service, including recurring removal from 190+ data brokers. You can add up to 3 emails, 3 home addresses and 3 phone numbers (U.S. citizens only) and have them removed from data-broker databases. I recommend the family plan because it works out to only $4.12 per person per month for year-round coverage. It’s an excellent service, and I highly recommend at least trying it out to see what it’s all about.

Get Incogni here

Get Incogni for your family (up to 4 people) here

Protecting your Medicare information

To safeguard your Medicare data in the future. Never share your Medicare number with unsolicited callers or emailers. Be cautious about giving personal information over the phone or online. Regularly review your Medicare statements for any unusual activity. Keep your Medicare card in a safe place, just like you would a credit card.

PHARMA GIANT’S DATA BREACH EXPOSES PATIENTS’ SENSITIVE INFORMATION 

Kurt’s key takeaways

While data breaches are unfortunately becoming more common, staying informed and taking proactive steps can help mitigate potential risks. Remember, Medicare will never call you unsolicited to ask for personal information or to issue a new card. If you’re ever in doubt, hang up and call Medicare directly using the official number on your card or the Medicare website. By staying vigilant and following these guidelines, you can help protect your personal and healthcare information from potential misuse.

Given the increasing frequency and scale of data breaches in the healthcare sector, what additional measures do you think Medicare and its affiliated organizations should implement to better protect beneficiaries’ personal information and prevent future security incidents? Let us know in the comments below. 

FOR MORE OF MY SECURITY ALERTS, SUBSCRIBE TO MY FREE CYBERGUY REPORT NEWSLETTER HERE