Data Breach Exposes Personal Information of 612K Medicare Recipients

CMS is notifying beneficiaries and offering free credit monitoring services.

data center lining wall
(Image credit: Getty Images)

A data breach at a data file sharing service has exposed the personal information of 612,000 Medicare recipients and millions of other health care consumers.

The breach occurred in Progress Software’s MOVEit Transfer software on the corporate network of Maximus Federal Services, one of the Medicare program’s contractors, the Center for Medicare & Medicaid Services (CMS) said in a statement.

Maximus said that up to 11 million people were affected by the breach.

Subscribe to Kiplinger’s Personal Finance

Be a smarter, better informed investor.

Save up to 74%

Sign up for Kiplinger’s Free E-Newsletters

Profit and prosper with the best of expert advice on investing, taxes, retirement, personal finance and more - straight to your e-mail.

Profit and prosper with the best of expert advice - straight to your e-mail.

Sign up

The breach, which occurred in May and was announced by CMS on July 28, involved the personally identifiable information (PII) and protected health information (PHI) of Medicare beneficiaries and/or protected health information.

Specific information that may have been compromised includes names, phone numbers, email addresses, Social Security numbers, healthcare provider and prescription information as well as health insurance claims, CMS said. No CMS or Department of Health and Human Services systems were impacted, the agency added.

CMS and Maximus are sending letters to Medicare beneficiaries who may be impacted by the incident and both are offering free credit monitoring services for two years.

“Data privacy and security are among our top priorities, and we are committed to protecting the data entrusted to us,” Maximus told Kiplinger in a statement. The company said that Maximus and many other companies use MOVEit, and that it is investigating the issue and closely monitoring its systems for any unusual activity.

“To be clear, we have not identified any impact from the MOVEit vulnerability on other parts of our corporate network and remain confident in the integrity of the network,” Maximus said.

Updating security is important

Ani Chaudhuri, CEO at Dasera, a data security firm in Saratoga, California, told Kiplinger that the breach occurred due to an unknown vulnerability in the MOVEit software.

“When the creators of MOVEit announced the vulnerability on May 31, 2023, it was clear the gap allowed unauthorized actors to gain access to MOVEit servers, in this case, compromising sensitive consumer data,” Chaudhuri said.

“Companies like Maximus use [services such as MOVEit] to send, receive and store sensitive information, making them attractive targets for cybercriminals,” he said. “This incident underscores the importance of maintaining robust and updated security measures, regularly auditing software for vulnerabilities, and adopting a proactive approach to data governance.”

"Consumers affected by this breach should stay alert for any phishing attempts, such as email, text, or phone,” said Chris Hauk, who focuses on consumer privacy at Pixel Privacy, an online data protection services company. “The bad actors responsible for the breach or who purchase the information stolen in the breach may use the information they already have to cheat the users out of additional information.”

Brian O'Connell

A former Wall Street bond trader, Brian O’Connell is the author of two best-selling books: “The 401k Millionaire” and “CNBC’s Creating Wealth.” His work is bylined in national finance and business platforms such as, CBS News, The Wall Street Journal, U.S. News & World Report, Forbes, Fox News and many others. His corporate clients have included SoFi, Experian, Prudential,, Oanda, General Motors, the Kaufman Foundation, PNC, and many others. With 20 years of experience covering business news and trends, particularly in the business and financial sectors, he believes education is the best gift a financial consumer can receive – and brings that philosophy to every story he writes. Brian is a graduate of the University of Massachusetts, and currently resides in Palmas del Mar, Puerto Rico during the winter months, and in historic Bucks County, Pa., when Mother Nature cooperates.