The Centers for Medicare & Medicaid Services (CMS) and Wisconsin Physicians Service Insurance Corporation (WPS) are notifying people whose protected health information or other personally identifiable information (PII) may have been compromised in connection with Medicare administrative services provided by WPS. WPS is a CMS contractor that handles Medicare Part A/B claims and related services for CMS.
The notification comes following discovery of a security vulnerability in the MOVEit software, a third-party application developed by Progress Software and used by WPS for the transfer of files in providing services to CMS. WPS is among many organizations in the United States that have been impacted by the MOVEit vulnerability. The security incident may have impacted PII of Medicare beneficiaries that was collected in managing Medicare claims as well as PII collected to support CMS audits of healthcare providers that some individuals who are not Medicare beneficiaries have visited to receive health care services.
CMS and WPS are mailing written notifications to 946,801 current people with Medicare whose PII may have been exposed, informing them of the breach and explaining actions being taken in response. CMS is also posting a substitute notice with similar information for those individuals for whom there is insufficient or out-of-date contact information for sending a written notification.
Below is a sample of the letter WPS is sending to those who are potentially affected:
Dear_______________:
The Centers for Medicare & Medicaid Services (CMS), the federal agency that manages the Medicare program, and Wisconsin Physicians Service Insurance Corporation (WPS), are writing to inform you of an incident involving your personal information related to services provided by WPS. WPS is a CMS contractor that handles certain Medicare claims in your state.
The incident involved a security vulnerability in the MOVEit software, a third-party application used by WPS for the transfer of files during the Medicare claims process. WPS is among the many organizations in the United States that have been impacted by the MOVEit vulnerability.
We are sending you this letter so that you can understand more about this incident, how we are addressing it, and additional steps you can take to further protect your privacy. We are providing information on free credit monitoring with this notice, and we will be giving you a new Medicare card with a new Medicare Number.
Your current Medicare benefits or coverage are not affected as a result of this incident.
What Happened?
On July 8, 2024, WPS notified CMS that files containing protected health information, such as Medicare claims data, and related personally identifiable information (collectively, “Personal Information”) was compromised in a cybersecurity incident involving MOVEit. A vulnerability in the MOVEit software made it possible, between May 27 through 31, 2023, for unauthorized third parties to gain access to Personal Information that was transferred using MOVEit.
Progress Software, the developer of MOVEit, discovered and disclosed the vulnerability in the MOVEit software to the public on May 31, 2023. Progress Software released a software patch to fix the vulnerability. WPS applied the patch and investigated the potential impact of the vulnerability on its systems. However, in the 2023 investigation, WPS did not observe any evidence that an unauthorized party obtained copies of files that were within the WPS MOVEit application.
In May 2024, acting on new information, WPS conducted an additional review of its MOVEit file transfer system with the assistance of a third-party cybersecurity firm. WPS confirmed that it had successfully patched the MOVEit vulnerability in early June 2023, after which there was no evidence of further activity by an unauthorized third party. However, the review also indicated that, before Progress Software released the patch, an unauthorized third party copied files from WPS’s MOVEit file transfer system. In coordination with law enforcement, WPS evaluated some of those impacted files. That portion of impacted files did not contain any Personal Information. On July 8, 2024, when evaluating a different portion of the impacted files, WPS determined that some of the files contained Personal Information, at which point it informed CMS. We are sending you this letter to notify you that your Personal Information was contained in the impacted files.
CMS and WPS are not aware of any reports of identity fraud or improper use of your Personal Information as a direct result of this incident, however, we are taking this opportunity to notify you so that, if you wish to do so, you can take advantage of the information and resources referenced in this notice.
What Information Was Involved?
We have determined that your Personal Information was present in certain files involved in this incident. This information may have included the following:
- Name
- Social Security Number or Individual Taxpayer Identification Number
- Date of Birth
- Mailing Address
- Gender
- Hospital Account Number
- Dates of Service
- Medicare Beneficiary Identifier (MBI) and/or Health Insurance Claim Number
What Are We Doing?
CMS is continuing to investigate this incident in coordination with WPS and will take all appropriate actions to safeguard the information entrusted to CMS. The investigation includes collaboration among CMS, WPS, and law enforcement agencies as well as cybersecurity forensic consultants. We are also providing you with the information in this notice so that you can take advantage of the resources referenced in the following section entitled “What You Can Do?”
What Can You Do?
1. Enroll in Experian Identity Protection Monitoring Services
WPS is offering a complimentary 12 months of credit monitoring and other services from Experian at no cost to you. You do not need to use your credit card or any other form of payment to enroll in the service. See the enclosed attachment for additional information on the complementary services and protections available to you.
2. Obtain a Free Credit Report
Under federal law, you are entitled to one free credit report every 12 months from each of the three major nationwide credit reporting companies listed above. Call 1-877-322-8228 or request your free credit reports online at www.annualcreditreport.com. When you receive your credit reports, review them for problems. Identify any accounts you didn’t open or inquiries from creditors that you did not authorize. Verify all information is correct. If you have questions or notice incorrect information, contact the credit reporting company.
Even if you don’t find any suspicious activity on your initial credit reports, the Federal Trade Commission (FTC) recommends that you still check your credit reports periodically. Checking your credit report periodically can help you spot problems and address them quickly.
If you find suspicious activity on your credit reports or have reason to believe your information is being misused, call your local law enforcement agency and file a police report. Be sure to obtain a copy of the police report, as many creditors will want the information it contains to absolve you of the fraudulent debts. You may also file a complaint with the FTC by contacting them on the web at www.ftc.gov/idtheft, by phone at 1-877-IDTHEFT (1-877-438-4338), or by mail at Federal Trade Commission, Consumer Response Center, 600 Pennsylvania Avenue, NW, Washington, DC 20580. Your complaint will be added to the FTC’s Identity Theft Data Clearinghouse, where it will be accessible to law enforcement for their investigations. In addition, you may obtain information from the FTC about fraud alerts and security freezes.
3. Continue to Use Your Existing Medicare Card
At this time, we are not aware of any reports of identity fraud or improper use of your information as a direct result of this incident. However, if your MBI was potentially affected, a new Medicare card with a new number will be issued to you. CMS will mail the new card to your address in the coming weeks. In the meantime, you can continue to use your existing Medicare card. After you get your new card, you should:
a. Follow the instructions in the letter that comes with your new card.
b. Destroy your old Medicare card.
c. Inform your providers that you have a new Medicare Number.
For More Information
We take the privacy and security of your Medicare information very seriously. CMS and WPS apologize for the inconvenience this incident might have caused you.
If you have any further questions regarding this incident, please call the Experian dedicated and confidential toll-free response line at 833-931-5700. This response line is staffed with professionals familiar with this incident who know what you can do to help protect against misuse of your information. The response line is available Monday through Friday from 8 am – 8 pm Central Time (excluding major U.S. holidays). Be prepared to provide your engagement number B130492.
You can also call 1-800-MEDICARE (1-800-633-4227) with any general questions or concerns about Medicare.
Sincerely,
WPS Medicare Privacy Officer
###
Get CMS news at cms.gov/newsroom, sign up for CMS news via email and follow CMS on X (Formerly Twitter) @CMSgov