August 7, 2023
Approximately 612,000 Medicare beneficiaries have been impacted by a data breach involving a Medicare contractor. On June 2, 2023, the Centers for Medicare & Medicaid Services (CMS) was notified by Maximus Federal Services (provide CMS with appeals services) of a data breach involving protected health information/personally identifiable information (PHI/PII) of approximately 612,000 Medicare beneficiaries. The breach was caused by a vulnerability in a third party’s transfer software, MOVEit. This software application, now a part of Progress Software, encrypts files and uses file transfer protocols such as FTP(S) or SFTP to transfer data, as well as providing automation services, analytics and failover options. (See the CISA Alert) No CMS systems were impacted.