CMS Responding to Data Breach at Contractor

August 7, 2023

Approximately 612,000 Medicare beneficiaries have been impacted by a data breach involving a Medicare contractor.  On June 2, 2023, the Centers for Medicare & Medicaid Services (CMS) was notified by Maximus Federal Services (provide CMS with appeals services) of a data breach involving protected health information/personally identifiable information (PHI/PII) of approximately 612,000 Medicare beneficiaries.  The breach was caused by a vulnerability in a third party’s transfer software, MOVEit.   This software application, now a part of Progress Software, encrypts files and uses file transfer protocols such as FTP(S) or SFTP to transfer data, as well as providing automation services, analytics and failover options.  (See the CISA Alert)  No CMS systems were impacted.

Currently, CMS and Maximus have started notifying impacted beneficiaries of the incident with instructions on steps they can take to protect their PHI/PII:

  • Enroll in identity and credit monitoring (Maximus will pay for 24 months of monitoring services)
  • Obtain a free credit report and identify any unusual activity
  • Continue to use their existing Medicare Card, until they receive a new card in the mail (only for beneficiaries whose Medicare Beneficiary Identifier (MBI) was impacted by the breach

Read CMS’ press release here

Skip to content