Cyberhack Exposes Data on 600,000-Plus Medicare Beneficiaries

Breach goes well beyond Medicare

Edward C. Baig,

AARP

Comments

En español

Published August 02, 2023

the word medicare on a white card with blue and red stripes

AP Photo/Jon Elswick

A far-reaching data breach by a government contractor has put Social Security numbers, birth dates, driver’s license numbers, health insurance claims, medical history notes, prescription information and other personally identifiable information of 612,000 Medicare beneficiaries at risk. The Centers for Medicare & Medicaid Services (CMS), the federal agency that manages Medicare, as well as the contractor in question, Maximus Federal Services, have begun sending apology letters to individuals whose data may have been impacted by the May 2023 security breach.

What happened?

On May 30, Maximus detected “unusual activity” in a file transfer application used by commercial and government customers worldwide called MOVEit, which it shut down the next day following an investigation. That’s also when the application’s provider, Progress Software Corporation, disclosed a vulnerability in the program that “had allowed an unauthorized party to gain access to files across many organizations in both the government and private sectors.” CMS was notified on June 2.

What information is involved?

According to the Centers for Medicare & Medicaid Services, PII at risk includes:

Name
Social Security Number or Individual Taxpayer Identification Number
Date of Birth
Mailing Address
Telephone Number, Fax Number and Email Address
Medicare Beneficiary Identifier (MBI) or Health Insurance Claim Number (HICN)
Driver’s License Number and State Identification Number
Medical History/Notes (including medical record/account numbers, conditions, diagnoses, dates of service, images, treatments, etc.)
Health Care Provider and Prescription Information
Health Insurance Claims and Policy/Subscriber Information
Health Benefits and Enrollment Information

It gets worse

In an 8-K filing with the Securities and Exchange Commission on July 26, Maximus estimated the cost of the investigation and “remediation activities” thus far has been approximately $15 million, though the investigation is ongoing. Moreover, Maximus says files impacted by the cybersecurity hack contain Social Security numbers and protected health information “of at least 8 to 11 million people” whom the company anticipates having to notify.

Other organizations compromised by the recent hack include Louisiana’s Office of Motor Vehicles, Oregon’s driver’s license database, Siemens Energy, UCLA and British Airways.

“I don’t think we’ve gotten to the end of this rope yet,” says James E. Lee, chief operating officer at the nonprofit Identity Theft Resource Center (ITRC) in San Diego, which educates consumers on the risks of identity theft. “Our information is in so many different places, it’s hard for an individual to keep track of where it is.”

Shopping & Groceries

Coupons for Local Stores

Save on clothing, gifts, beauty and other everyday shopping needs

View Details

See All

See more Shopping & Groceries offers >

{"hideCategory":false,"useAlternateLanguage":false,"headlineIconAltText":"","listItems":[{"categoryTitle":"Shopping \u0026 Groceries","categoryUrl":"/membership/benefits/shopping/","categoryDeeplinkParam":"shoppingandgroceries","isLimitedTimeOffer":false,"offerJson":{"dbr_offer_id":"cc10a5160ce1087afc819517a2b9e911","source_name":"Coupons for Local Stores","offer_title":"Shopping Savings Near You","offer_description":"\u003cp\u003eMembers save at a range of local shops and national chains.\u003c/p\u003e","offer_short_description":"Save on clothing, gifts, beauty and other everyday shopping needs","category_list":"shoppingandgroceries","subcategory_list":"","tags":[{"tagID":"dbr:shoppingandgroceries","title":"Shopping \u0026 Groceries","name":"shoppingandgroceries","deeplink_url":"/membership/benefits/shopping/","deeplink_param_value":"shoppingandgroceries","get_offers_url":"/etc/aarp/dbr/ws.api/offers/shoppingandgroceries.json","sub_tags":[]}],"vertical_image_url":"/content/dam/aarp/benefits_discounts/discount-aggregator/258x334-woman-winter-coat-outside-looking-smiling-at-cellphone-shopping-bags.jpg","image_url":"/content/dam/aarp/benefits_discounts/discount-aggregator/1140x641-woman-winter-coat-outside-looking-smiling-at-cellphone-shopping-bags.jpg","advertisement_flag":"","advertisement_sort_order":"","merchant_phone":"","merchant_phone_label":"","howto_redeem":"Learn More","howto_redeem_url":"https://memberoffers.aarp.org/shopping","howto_redeem_expired":"Renew to Learn More","howto_redeem_expired_link":"https://appsec.aarp.org/mem/renew","howto_redeem_non_member":"Join to Learn More","howto_redeem_non_member_link":"https://secure.aarp.org/applications/membershipChallenge/showChallengeForm.action?appName\u003daccount","howto_redeem_anonymous":"Join to Learn More","howto_redeem_anonymous_link":"https://appsec.aarp.org/mem/join?campaignid\u003dUASMBP1\u0026intcmp\u003dEWHERE-MBCHAE-LP-MMA-JOIN","howto_redeem_desc":"Show the coupon on your phone or print it and show at checkout. ","member_exclusive_flag":"no","offer_type":"EverGreen","hideLeavingAARP":"false","interstitial_desc":"You\u0027ll leave AARP.org and go to the website of a trusted provider. The provider\u0027s terms, conditions, and policies apply.","dbr_offer_type":"discount","restrictions":"\u003cp\u003eThese AARP member benefits are provided by a third party, not by AARP or its affiliates. These offers are subject to change and may have restrictions.\u003c/p\u003e","lto_daysleft_start_control":30,"is_redeemable_in_person":"false","is_redeemable_only_in_person":false,"state_blacklist":[],"offer_timing":"anytime","line_of_business":"ASI discounts","asi_category":"ASI Shopping","analytics_brand":"Augeo | Coupons for Local Stores","analytics_offerid":"even-more-shopping-discounts","howto_redeem_already_registered_anon":"Member Log In","howto_redeem_already_registered_anon_link":"https://login.aarp.org/online-community/loginform.action","howto_redeem_already_registered_nonmember":"Link your membership","howto_redeem_already_registered_nonmember_link":"https://secure.aarp.org/applications/membershipChallenge/showChallengeForm.action?appName\u003daccount","offer_keywords":["local","retail discounts","shopping","member benefits","aarp benefits","aarp discounts"],"offer_keywords_spanish":[],"provider_logo":"/content/dam/aarp/benefits_discounts/discount-aggregator/see-more-shopping-red-logo.svg","provider_logo_alt_text":"shopping bag red logo icon","provider_logo_cdn_uri":"","provider_logo_width":"","provider_logo_height":"","enable_utm_parameters":"","append_aid_paramter":"","lto_model_heading":"Limited Time Member Offers","lto_advertisement":"Member Exclusive Advertisement","ty_socialMissionFlag":"true","deeplink_param_value":"even-more-shopping-discounts","howto_redeem_2":"Learn More","howto_redeem_already_registered_nonmember_label":"Already a member?","howto_redeem_already_registered_anon_label":"Already a member?","image_alt_text":"Woman wearing winter coat and scarf, turtleneck, outside shop window holding shopping bags, looking and smiling at cellphone","image_title":"Coupons for Local Stores","image_cdn_uri":"https://cdn.aarp.net/content/dam/aarp/benefits_discounts/discount-aggregator/1140x641-woman-winter-coat-outside-looking-smiling-at-cellphone-shopping-bags.imgcache.revd094c026375194b30d01c7453e3dfa10.jpg","tab_label_offer_details":"Details","tab_label_restrictions":"Disclosures","geoloc_tab_label":"Locations","disclaimer_label":"","geoloc_provider_legal_info":"","geoloc_miles_label_text":"Miles","geoloc_show_results_within_label_text":"Show results within","geoloc_see_more_button_text":"See More","geoloc_find_location_label":"Find a Location","geoloc_total_results_label":"Result(s)","geoloc_no_results_view_message":"There are no locations within a 100 mile radius. Please try another location","geoloc_tab_hint_text":"Enter an address, city, or ZIP","geoloc_mobile_list_cta":"LIST VIEW","geoloc_mobile_list_cta_url":"","geoloc_mobile_map_cta":"MAP VIEW","geoloc_mobile_map_cta_url":"","geoloc_provider_link_cta_url":"","geoloc_experience_type":"","ty_ctaText":"Continue","geoloc_hide_tab":"true","ty_interstitialText":"Thanks for visiting aarp.org! Come back again to check out all of the AARP Member Benefits and unlock the full power of membership.","howto_redeem_label":"How to Access","ty_interstitialDesc":"Come back again to check out all of the AARP Member Benefits and unlock the full power of membership.","ty_cancelText":"Cancel","ty_interstitialTitle":"Thanks for visiting aarp.org!","lto_daysleft":"Days Left","provider_logo_title":"shopping bag red logo icon","geoloc_hide_see_more_button":"false","geoloc_provider_link_cta":"","offer_page_path":"/benefits-discounts/all/even-more-shopping-discounts/","redemption_content":"","show_phone_number_above_cta":"","restrictions_label":"Disclosures","show_state_availability":"","state_availability_text":"SEE AVAILABILITY IN YOUR STATE","hideRestrictionsTab":"","ltos":[]},"parentOfferJson":{}}]}

Alarming as it is, the MOVEit hack is merely one of 1,587 data breaches reported by the ITRC so far this year, which by the end of 2023 could put it well in range of the all-time high of 1,862 breaches in 2021.

What you can do

Here are some steps to take if you believe you’re affected by the breach.

1. Enroll in Experian identity and credit monitoring services. Maximus is offering two years of free credit monitoring and other services from Experian. The Maximus/CMS letter says you don’t need to use your credit card or any other form of payment to receive these services.

2. Obtain a free credit report. Under federal law, you’re entitled to one free credit report from one of the three major nationwide credit reporting agencies, Equifax, Experian and TransUnion every 12 months.

You can request a report by calling 1-877-322-8228 or by visiting www.annualcreditreport.com. Review them for any problems. Look out for accounts you didn’t open or inquiries from creditors you didn’t authorize. Contact the agency to report any errors.

3. Review your credit reports periodically. Don’t wait for a well-publicized incident. This is prudent advice even if suspicious activity isn’t suspected.

4. Contact law enforcement. If you uncover something suspicious, get in touch with local law enforcement and file a police report.

5. Complain to the FTC. You can add your complaint to the Federal Trade Commission’s Identity Theft Data Clearinghouse, a repository that law enforcement can access. Reach out via email at www.ftc.gov/idtheft, call 1-877-438-4338 or write to Federal Trade Commission, Consumer Response Center, 600 Pennsylvania Ave NW, Washington, DC 20580.

6. Continue to use your current Medicare card. CMS says it isn’t aware of any identity fraud or other improper use of your information because of the breach. Even so, if your Medicare Beneficiary Identifier (MBI) was affected, you’ll receive a new number but it’s your responsibility to notify your providers of the change.

“I know it’s going to be a hassle,” Lee of ITRC says. “But that’s important because if the bad guys go to utilize that [old] number in any way, they’re not going to be able to use the benefit that you [are] rightfully the owner of.”

7. Ask how companies and organizations are going to use your information. “That’s one of the things we should do that we’re probably not doing,” Lee says, suggesting you ask the company if it needs your information and, if so, what it will do with it and how it will protect it?

8. Freeze your credit. Don’t just monitor it, freeze it, Lee says.

9. Choose unique passwords. Don’t use the same or similar passwords across all accounts, security experts say. For an extra layer of protection, employ a secondary form of validation, preferably with an app, but sometimes via phone or some other device. This is known as multifactor authentication.

Medicare beneficiaries: Review your Medicare Summary Notice, the quarterly statement of Medicare charges, for any suspicious activity. You should also check your online Medicare account. You can report potential Medicare fraud to 800-Medicare or contact your state’s Senior Medicare Patrol.

%{postComment}%

Edward C. Baig covers technology and other consumer topics. He previously worked for USA Today, BusinessWeek, U.S. News & World Report and Fortune, and is author of Macs for Dummies and coauthor of iPhone for Dummies and iPad for Dummies. Follow him on LinkedIn; Threads; and X, formerly known as Twitter.

Discover AARP Members Only Access

Join AARP to Continue

Already a Member? Login

More From AARP

a smartphone displaying chatgpt on top of a keyboard

FTC Probes ChatGPT Over Concerns About Your Privacy

Feds want to know how parent OpenAI handles user data

In ‘Do Me a Favor’ Scams, a Criminal Pretends to Be Your Pal

An increasingly common scheme involves impostors claiming to need help buying gift cards

a thumbtack pin set in a map shown on a mobile phone screen

How to reduce ways your devices can track your location

Your smartphone is tracking you - and some of the information it gathers can put you at risk. Find out how to limit the data your device is collecting.

AARP Value & Member Benefits