MOVEit Impacts 600K Medicare Beneficiaries, Ranks as Biggest Hack of 2023

U.S. government services contractor Maximus has now claimed the spot as the largest victim of the 2023 MOVEit breach, the biggest hack of 2023, impacting 612,000 Medicare beneficiaries.

Maximus, based in Virginia, contracts with federal, state and local governments to manage and administer government-sponsored programs, such as Medicaid and Medicare. The company employs 34,300 people and has an annual revenue of about $4.25 billion, with a presence in the U.S., Canada, Australia, and the United Kingdom.

CMS estimates the MOVEit breach, which also ranks as one of the largest in recent history, impacted approximately 612,000 current Medicare beneficiaries.CMS and Maximus are notifying Medicare beneficiaries whose PII and/or PHI may have been exposed to let them know they are being offered free-of-charge credit monitoring services for 24 months. 

MOVEit is used by organizations to ship large amounts of often sensitive data: pension information, social security numbers, medical records, billing data and the like. Because many of those organizations were handling data on behalf of others, who in turn got the data from third parties, the hack has spiraled outward.

The Department of Health and Human Services (HHS) and the Centers for Medicare & Medicaid Services (CMS) have responded to a May 2023 data breach, sending apology letters to individuals whose data may have been impacted by the May 2023 security breach..

CMS and Maximus are notifying Medicare beneficiaries whose PII (personal identifiable information) and/or PHI (protected health information) may have been exposed that they are being offered free-of-charge credit monitoring services for 24 months. This notification also contains information about how impacted individuals can obtain a free credit report, and, for those beneficiaries whose Medicare Beneficiary Identifier number may have been impacted, information on receiving a new Medicare card with a new number.

According to the Centers for Medicare & Medicaid Services, PII at risk includes:

  • Name
  • Social Security Number or Individual Taxpayer Identification Number
  • Date of Birth
  • Mailing Address
  • Telephone Number, Fax Number and Email Address
  • Medicare Beneficiary Identifier (MBI) or Health Insurance Claim Number (HICN)
  • Driver’s License Number and State Identification Number
  • Medical History/Notes (including medical record/account numbers, conditions, diagnoses, dates of service, images, treatments, etc.)
  • Health Care Provider and Prescription Information
  • Health Insurance Claims and Policy/Subscriber Information
  • Health Benefits and Enrollment Information

According to Reuters, the MOVEit hack spawned over breaches at more than 600 organizations worldwide and is still claiming victims. Other U.S. organizations compromised by the recent hack include the Louisiana’s Office of Motor Vehicles, the state of Oregon’s driver’s license database, Siemens Energy, and the University of California at Los Angeles.

“I don’t think we’ve gotten to the end of this rope yet,” says James E. Lee, chief operating officer at the nonprofit Identity Theft Resource Center (ITRC) in San Diego, which educates consumers on the risks of identity theft. “Our information is in so many different places, it’s hard for an individual to keep track of where it is.”

During the first half of 2023 alone, the healthcare sector has been impacted by 295 breaches affecting over 39 million individuals, according to the Department of Health and Human Services’ Office for Civil Rights.