The Centers for Medicare & Medicaid Services (CMS) federal agency announced earlier this month that health and personal information of more than three million health plan beneficiaries was exposed in the MOVEit attacks Cl0p ransomware conducted last year.

The hackers stole the data after breaching the Wisconsin Physicians Service (WPS) health insurance corporation, which provided Medicare administrative services.

CMS is a federal agency within the HHS that administers the nation’s major healthcare programs, including Medicaid and CHIP.

It oversees the programs to ensure they meet federal standards, provides funding support, enforces policies and regulations, monitors quality and costs, and helps regulate the Affordable Care Act’s (ACA) health insurance marketplace.

A press release from CMS on September 6th informed that the agency and WPS were notifying 946,801 individuals with Medicare about personally identifiable information exposed in the MOVEit attacks that happened over a year ago.

On the same day, the federal agency reported on the breach portal of the U.S. Department of Health and Human Services (HSS) that the complete number of people with information stolen was 3,112,815 individuals.

In clarifications for BleepingComputer, a CMS spokesperson explained that the difference represented people who are either deceased or were not Medicare beneficiaries but WPS had collected their data as part of their work for CMS.

According to the CMS press release, WPS applied the security updates from Progress Software, the developer of MOVEit Transfer, in early June 2023 and assumed at the time that its systems were safe.

However, a review of the incident in May 2024 revealed that the hackers had breached the WPS network before the company applied the security patch and had exfiltrated certain files.

On July 8, 2024, while still evaluating the contents of the stolen files, CMS determined that they contained, among other things, the following information:

• Name
• Social Security Number or Individual Taxpayer Identification Number
• Date of Birth
• Mailing Address
• Gender
• Hospital Account Number
• Dates of Service
• Medicare Beneficiary Identifier (MBI) and/or Health Insurance Claim Number

As the investigation of the incident continues, impacted individuals are offered a 12-month free-of-charge credit monitoring service by Experian to mitigate the risks that arise from their data exposure.

Although Cl0p claimed that they would delete data belonging to hospitals, healthcare organizations, and U.S. government entities, it is practically impossible for anyone to guarantee that the stolen data hasn’t been shared or sold on the dark web.