As part of an ongoing investigation into the May 2023 data breach of Progress Software’s MOVEit Transfer software on the corporate network of Maximus Federal Services, Inc. (Maximus Federal Services), a contractor to the Medicare program, the Center for Medicare & Medicaid Services (CMS) has learned of additional individuals whose personally identifiable information (PII) may have been compromised among files maintained by Maximus Federal Services. As a result, this week, CMS and Maximus Federal Services are sending letters to 330,000 current people with Medicare who may have been impacted, notifying them of the breach and explaining actions being taken in response.
CMS and Maximus Federal Services are notifying people with Medicare whose PII may have been exposed that they are being offered free-of-charge credit monitoring services for 24 months. This notification also contains information about how impacted individuals can obtain a free credit report, and, for those individuals whose Medicare Beneficiary Identifier number may have been impacted, information on receiving a new Medicare card with a new number.
Below is a sample of the letter being sent to those who are potentially affected:
Dear <<Name >>
The Centers for Medicare & Medicaid Services (CMS), the federal agency that manages the Medicare program, and Maximus Federal Services, Inc. (Maximus), a CMS contractor, are writing to inform you of an incident potentially involving your personal information related to services provided by Maximus. Maximus provides appeals services in support of the Medicare program.
The incident involved a security vulnerability in the MOVEit software, a third-party application that allows for the transfer of files during the Medicare appeals process. Maximus is among many organizations in the United States that have been impacted by the MOVEit vulnerability.
We are sending you this letter so you can understand more about the incident, how we are addressing it, and additional steps you can take to further protect your privacy. We are providing information with this notice on free credit monitoring services and, if your Medicare Beneficiary Identifier (MBI) was potentially affected, will be giving you a new Medicare card with a new Medicare Number. This does not impact your current Medicare benefits or coverage.
Our understanding is as follows: On May 30, 2023, Maximus detected unusual activity in its MOVEit application. Maximus began to investigate and stopped all use of the MOVEit application early on May 31, 2023. Later that same day, the third-party application provider, Progress Software Corporation, announced that a vulnerability in its MOVEit software had allowed an unauthorized party to gain access to files across many organizations in both the government and private sectors.
Maximus notified CMS of the incident on June 2, 2023. To date, the ongoing investigation indicates that on approximately May 27 through 31, 2023, the unauthorized party may have obtained copies of files that were saved in the Maximus MOVEit application, but that no CMS systems were compromised. After notifying CMS, Maximus began to analyze the files to determine which data was potentially affected. As part of that analysis, Maximus identified an initial set of individuals whose data may have been affected and notified those individuals. After further investigation and analysis, it was determined that those files contained personal information for additional individuals, which is why we are notifying you now.
What Information Was Involved?
We have determined that your personal and Medicare information potentially was involved in this incident. This information may have included the following:
• Social Security Number or Individual Taxpayer Identification Number
• Date of Birth
• Mailing Address
• Telephone Number, Fax Number, & Email Address
• Medicare Beneficiary Identifier (MBI) or Health Insurance Claim Number (HICN)
• Driver’s License Number and State Identification Number
• Medical History/Notes (including medical record/account numbers, conditions, diagnoses, dates of service, images, treatments, etc.)
• Healthcare Provider and Prescription Information
• Health Insurance Claims and Policy/Subscriber Information
• Health Benefits & Enrollment Information
What Are We Doing?
When the incident was discovered, Maximus began an investigation, took the MOVEit application offline, applied MOVEit software patches, and notified law enforcement. CMS is continuing to investigate this incident in coordination with Maximus and will take all appropriate actions to safeguard the information entrusted to CMS.
What Can You Do?
1) Enroll in Experian Identity and Credit Monitoring Services
Maximus is offering a complimentary 24 months of credit monitoring and other services from Experian at no cost to you. You do not need to use your credit card or any other form of payment to enroll in the service.
Please see Attachment #1 for information on how to utilize your free Experian Services.
2) Obtain a Free Credit Report
Under federal law, you are entitled to one free credit report every 12 months from each of the three major nationwide credit reporting companies listed above. Call 1-877-322-8228 or request your free credit reports online at www.annualcreditreport.com. When you receive your credit reports, review them for problems. Identify any accounts you didn’t open or inquiries from creditors that you did not authorize. Verify all information is correct. If you have questions or notice incorrect information, contact the credit reporting company.
Even if you don’t find any suspicious activity on your initial credit reports, the Federal Trade Commission (FTC) recommends that you still check your credit reports periodically. Checking your credit report periodically can help you spot problems and address them quickly.
If you find suspicious activity on your credit reports or have reason to believe your information is being misused, call your local law enforcement agency and file a police report. Be sure to obtain a copy of the police report, as many creditors will want the information it contains to absolve you of the fraudulent debts. You may also file a complaint with the FTC by contacting them on the web at www.ftc.gov/idtheft, by phone at 1-877-IDTHEFT (1-877-438-4338), or by mail at Federal Trade Commission, Consumer Response Center, 600 Pennsylvania Avenue, NW, Washington, DC 20580. Your complaint will be added to the FTC’s Identity Theft Data Clearinghouse, where it will be accessible to law enforcement for their investigations. In addition, you may obtain information from the FTC about fraud alerts and security freezes.
Please see Attachment #2 for additional steps you can take to protect your information.
3) Continue to Use Your Existing Medicare Card
At this time, we are not aware of any reports of identity fraud or improper use of your information as a direct result of this incident. However, if your MBI was potentially affected, a new Medicare card with a new number will be issued to you. CMS will mail the new card to your address in the coming weeks. In the meantime, you can continue to use your existing Medicare card. After you get your new card, you should:
a. Follow the instructions in the letter that comes with your new card.
b. Destroy your old Medicare card.
c. Inform your providers that you have a new Medicare Number.
For More Information
We take the privacy and security of your Medicare information very seriously. CMS and Maximus apologize for the inconvenience this privacy incident might have caused you.
If you have any further questions regarding this incident, please call the Experian dedicated and confidential toll-free response line at xxx-xxx-xxxx. This response line is staffed with professionals familiar with this incident who know what you can do to protect against misuse of your information. The response line is available Monday through Friday from 8 am – 10 pm Central, or Saturday and Sunday from 10 am – 7 pm Central (excluding major U.S. holidays).
You can also call 1-800-MEDICARE (1-800-633-4227) with any general questions or concerns about Medicare.