The Centers for Medicare & Medicaid Services (“CMS”) and its contractor, Wisconsin Physicians Service Insurance Corporation (“WPS”), recently notified over 940,000 Medicare beneficiaries of a data breach that has potentially exposed their protected health information (“PHI”) and personally identifiable information (“PII”). CMS reported on the breach portal of the U.S.

Department of Health and Human Services (“HHS”) that the total number of impacted people was 3,112,815 individuals. Incident Overview In May 2024, WPS, a contractor that handles Medicare Part A and B claims for beneficiaries in multiple states, identified that unauthorized third parties had accessed sensitive data due to a vulnerability in MOVEit, a third-party file transfer software used by WPS. The breach occurred between May 27 and May 31, 2023, prior to the application of a patch issued by the software developer, Progress Software, on May 31, 2023.

While WPS did not observe evidence of data compromise during its initial investigation in 2023, a subsequent review in May 2024 based on new information confirmed that sensitive files containing PHI and PII had been copied. The compromised information includes the following Medicare beneficiary information: (i) names, (ii) social security numbers or individual taxpayer identification numbers, (iii) dates of birth, (iv) Medicare beneficiary identifiers (“MBIs”) or health insurance claim numbers, (v) hospital account numbers, (vi) dates of se.