Javascript is not enabled.

Javascript must be enabled to use this site. Please enable Javascript in your browser and try again.

Skip to content
Content starts here
CLOSE ×
Search
Leaving AARP.org Website

You are now leaving AARP.org and going to a website that is not operated by AARP. A different privacy policy and terms of service will apply.

Cyberhack Exposes Data on 600,000-Plus Medicare Beneficiaries

Breach goes well beyond Medicare


spinner image the word medicare on a white card with blue and red stripes
AP Photo/Jon Elswick

A far-reaching data breach by a government contractor has put Social Security numbers, birth dates, driver’s license numbers, health insurance claims, medical history notes, prescription information and other personally identifiable information of 612,000 Medicare beneficiaries at risk. The Centers for Medicare & Medicaid Services (CMS), the federal agency that manages Medicare, as well as the contractor in question, Maximus Federal Services, have begun sending apology letters to individuals whose data may have been impacted by the May 2023 security breach.

spinner image Image Alt Attribute

AARP Membership— $12 for your first year when you sign up for Automatic Renewal

Get instant access to members-only products and hundreds of discounts, a free second membership, and a subscription to AARP the Magazine. Find out how much you could save in a year with a membership. Learn more.

Join Now

What happened?

On May 30, Maximus detected “unusual activity” in a file transfer application used by commercial and government customers worldwide called MOVEit, which it shut down the next day following an investigation. That’s also when the application’s provider, Progress Software Corporation, disclosed a vulnerability in the program that “had allowed an unauthorized party to gain access to files across many organizations in both the government and private sectors.” CMS was notified on June 2.

What information is involved?

According to the Centers for Medicare & Medicaid Services, PII at risk includes:

  • Name
  • Social Security Number or Individual Taxpayer Identification Number
  • Date of Birth
  • Mailing Address
  • Telephone Number, Fax Number and Email Address
  • Medicare Beneficiary Identifier (MBI) or Health Insurance Claim Number (HICN)
  • Driver’s License Number and State Identification Number
  • Medical History/Notes (including medical record/account numbers, conditions, diagnoses, dates of service, images, treatments, etc.)
  • Health Care Provider and Prescription Information
  • Health Insurance Claims and Policy/Subscriber Information
  • Health Benefits and Enrollment Information

It gets worse

In an 8-K filing with the Securities and Exchange Commission on July 26, Maximus estimated the cost of the investigation and “remediation activities” thus far has been approximately $15 million, though the investigation is ongoing. Moreover, Maximus says files impacted by the cybersecurity hack contain Social Security numbers and protected health information “of at least 8 to 11 million people” whom the company anticipates having to notify.

spinner image cartoon of a woman holding a megaphone

Have you seen this scam?

  • Call the AARP Fraud Watch Network Helpline at 877-908-3360 or report it with the AARP Scam Tracking Map.  
  • Get Watchdog Alerts for tips on avoiding such scams.

Other organizations compromised by the recent hack include Louisiana’s Office of Motor Vehicles, Oregon’s driver’s license database, Siemens Energy, UCLA and British Airways.

“I don’t think we’ve gotten to the end of this rope yet,” says James E. Lee, chief operating officer at the nonprofit Identity Theft Resource Center (ITRC) in San Diego, which educates consumers on the risks of identity theft. “Our information is in so many different places, it’s hard for an individual to keep track of where it is.”

Shopping & Groceries

Coupons for Local Stores

Save on clothing, gifts, beauty and other everyday shopping needs

See more Shopping & Groceries offers >

Alarming as it is, the MOVEit hack is merely one of 1,587 data breaches reported by the ITRC so far this year, which by the end of 2023 could put it well in range of the all-time high of 1,862 breaches in 2021.

What you can do

Here are some steps to take if you believe you’re affected by the breach.

1. Enroll in Experian identity and credit monitoring services. Maximus is offering two years of free credit monitoring and other services from Experian. The Maximus/CMS letter says you don’t need to use your credit card or any other form of payment to receive these services.

2. Obtain a free credit report. Under federal law, you’re entitled to one free credit report from one of the three major nationwide credit reporting agencies, Equifax, Experian and TransUnion every 12 months.

You can request a report by calling 1-877-322-8228 or by visiting www.annualcreditreport.com. Review them for any problems. Look out for accounts you didn’t open or inquiries from creditors you didn’t authorize. Contact the agency to report any errors.  

3. Review your credit reports periodically. Don’t wait for a well-publicized incident. This is prudent advice even if suspicious activity isn’t suspected.  

4. Contact law enforcement. If you uncover something suspicious, get in touch with local law enforcement and file a police report.  

5. Complain to the FTC. You can add your complaint to the Federal Trade Commission’s Identity Theft Data Clearinghouse, a repository that law enforcement can access. Reach out via email at www.ftc.gov/idtheft, call 1-877-438-4338 or write to Federal Trade Commission, Consumer Response Center, 600 Pennsylvania Ave NW, Washington, DC 20580.

6. Continue to use your current Medicare card. CMS says it isn’t aware of any identity fraud or other improper use of your information because of the breach. Even so, if your Medicare Beneficiary Identifier (MBI) was affected, you’ll receive a new number but it’s your responsibility to notify your providers of the change.

“I know it’s going to be a hassle,” Lee of ITRC says. “But that’s important because if the bad guys go to utilize that [old] number in any way, they’re not going to be able to use the benefit that you [are] rightfully the owner of.”

7. Ask how companies and organizations are going to use your information. “That’s one of the things we should do that we’re probably not doing,” Lee says, suggesting you ask the company if it needs your information and, if so, what it will do with it and how it will protect it?

8. Freeze your credit. Don’t just monitor it, freeze it, Lee says.

9. Choose unique passwords. Don’t use the same or similar passwords across all accounts, security experts say. For an extra layer of protection, employ a secondary form of validation, preferably with an app, but sometimes via phone or some other device. This is known as multifactor authentication.

Medicare beneficiaries: Review your Medicare Summary Notice, the quarterly statement of Medicare charges, for any suspicious activity. You should also check your online Medicare account. You can report potential Medicare fraud to 800-Medicare or contact your state’s Senior Medicare Patrol.

Discover AARP Members Only Access

Join AARP to Continue

Already a Member?

spinner image cartoon of a woman holding a megaphone

Have you seen this scam?

  • Call the AARP Fraud Watch Network Helpline at 877-908-3360 or report it with the AARP Scam Tracking Map.  
  • Get Watchdog Alerts for tips on avoiding such scams.