Cyberhack Discloses Data on Over 600,000 Medicare Beneficiaries

A data breach in May 2023 exposed the personal information of 612,000 Medicare beneficiaries, including names, dates of birth, SSNs, insurance details, and medical history. 

Maximus, an American company that manages and administers government-sponsored programs, detected an unusual activity on May 30 in the file transfer application MOVEit, used by government and commercial customers worldwide. This resulted in a far-reaching data breach that compromised the personal information of 612,000 Medicare beneficiaries, including Social Security numbers, birth dates, driver’s licence numbers, health insurance claims, medical records, and prescriptions. 

An investigation led to the shutdown of MOVEit the following day. Progress Software Corporation also disclosed a vulnerability in the application at the time that “had allowed an unauthorised party to gain access to files across many organisations in both the government and private sector.”

Those whose data was compromised by the May 2023 security breach have been notified by Maximus Federal Services, the federal agency that manages Medicare, and the Centers for Medicare & Medicaid Services, the contractor that handled the breach. 

As stated by the Centers for Medicare & Medicaid Services, personally identifiable information including name, SSN, tax identification number, date of birth, address, phone number, fax number, email, Medicare beneficiary identifier (MBI), licence number, SIN (State Identification Number), medical record information (such as the number of your medical record, diagnosis, dates of service, images, treatments, etc.), health insurance claim number (HICN), insurance policies, insurance subscribers, health benefits, and enrollment.

According to a Form 8-K filed with the Securities and Exchange Commission on July 26, it is estimated that Maximus’ investigation and “remediation activities” have so far cost approximately $15 million. Moreover, Maximus reported that it anticipates notifying 8 million and 11 million people of the breaches resulting from the cybersecurity hack.

Additionally, the driver’s licence database of Oregon, Siemens Energy, UCLA, and British Airways has been hacked, as well as the Office of Motor Vehicles in Louisiana. A spokesperson for the non-profit Identity Theft Resource Center (ITRC), which educates consumers about the dangers of identity theft, stated, “I don’t think we’ve gotten to the end of this rope yet. Our information is in so many different places, it’s hard to track where it is.”

Even though this incident is alarming, it is only one of 1,587 breaches reported by the ITRC so far in 2023, which places it very close to reaching the all-time high of 1,862 breaches reported in 2022.

Suggested Reads:

MIRABAUD BANK FINED $3M FOR AML FAILINGS BY DUBAI AUTHORITIES

THE US SECURITIES AND EXCHANGE COMMISSION IDENTIFIES AML FAILURES OF US BROKERAGE FIRMS

SIX MEN ARRESTED IN HONG KONG FOR US$22.4 MILLION IN FRAUD