Dive Brief:
- A data breach earlier this year that’s affected tens of millions of individuals to date has also compromised the sensitive personal and health information of approximately 612,000 Medicare beneficiaries, according to the CMS.
- A Medicare contractor, Maximus Federal Services, was hit by the sweeping breach, which took advantage of a security vulnerability in MoveIt transfer software, in May. The CMS said no HHS or CMS systems were impacted.
- Overall, Maximus, which contracts with federal and state governments on programs like Medicare and Medicaid, disclosed this week the personal and protected health information of as many as 11 million individuals could be compromised because of its breach.
Dive Insight:
Maximus, which contracts with the government on file transfer during the Medicare appeals process, is one of hundreds of organizations that’s been impacted by the MoveIt vulnerability.
MoveIt — a file-transfer service that’s used by many government agencies and highly regulated companies — was hit by a cyberattack in May that’s since reverberated across a number of industries, including healthcare.
Maximus in early June informed the CMS of the incident, which could have affected a range of personal and medical information of Medicare beneficiaries, like names, Social Security numbers and medical histories, including diagnoses.
The CMS said it and Maximus are notifying individuals who might have been impacted.
The Russian-linked Clop crime group has taken responsibility for the attack. Clop has a history of targeting healthcare organizations: In February, the HHS warned that Clop was responsible for recent breaches at healthcare organizations, including Tennessee-based Community Health Systems.
A number of healthcare companies have been hit by the MoveIt attack, including Baltimore-based hospital system Johns Hopkins. Johns Hopkins now faces a class-action lawsuit alleging negligence due to the breach.
Other healthcare organizations affected include Houston integrated health system Harris Health, Dallas-based system UT Southwestern Medical Center, nonprofit health plan Sutter Senior Care, healthcare risk adjustment firm Cognisight and pharmaceutical company Bristol Myers Squibb.
According to cybersecurity firm Emsisoft, more than 500 organizations have been affected by the breach so far, and the data of almost 37 million people has been exposed.
Hacking incidents at healthcare companies have been increasing as more hospitals and payers invest in and adopt digital tools, but not heightened cybersecurity protocols. Along with healthcare companies themselves, their third-party vendors can be a common source of breaches.
From 2010 to 2022, 385 million patient records were exposed due to breaches, according to federal records.
Earlier this month, for-profit hospital giant HCA reported a data security incident that could have affected the data of more than 11 million patients.