Another 947K patient records found to be leaked in MOVEit breach

The MOVEit data breach may be long in the rear-view mirror, but healthcare entities and patients are still feeling the ripple effects. 

On Friday, the Centers for Medicare & Medicaid Services (CMS) sent out an alert notifying the public that Wisconsin Physicians Service Insurance Corporation (WPS) had inadvertently leaked personally identifiable information on patients to an unauthorized third party, potentially leading to data from Medicare beneficiaries being exposed to cybercriminals. 

However, the incident where WPS's data was accessed and moved happened as a result of the MOVEit vulnerability, first discovered in May 2023 and patched a month later. 

A July 2024 investigation by WPS uncovered the more than a year old leak, a statement from CMS and WPS said. Before that, it went unnoticed.

The statement from the two groups included a sample letter addressed to patients whose data was leaked. Information accessed by potentially malicious actors includes names, social security numbers, insurance information and more. However, there is no evidence the data has been used to steal identities or commit any acts of fraud. 

In total, 946,801 patients are impacted, all of whom will receive a letter informing them of the breach and offering identity theft protection services as recompense. 

How did it happen?

A popular data transfer service called MOVEit is used all over the country to share patient records between groups, including insurance companies, academic institutions, health systems and technology companies. A vulnerability in the service, discovered in May 2023, was exploited by third-parties who accessed data on various servers connected to MOVEit. 

CMS released a statement about the issue in July 2023, then notifying around 612,000 Medicare beneficiaries their data may have been exposed to nefarious groups. 

In June 2023, WPS had patched the vulnerability and conducted an investigation into potential data leak. However, it did not immediately notice certain files had actually been moved offsite, culminating in the announcement with CMS being released this Friday.

For more information, view the full notice from CMS and WPS here

Chad Van Alstin Health Imaging Health Exec

Chad is an award-winning writer and editor with over 15 years of experience working in media. He has a decade-long professional background in healthcare, working as a writer and in public relations.

Around the web

The American College of Cardiology has shared its perspective on new CMS payment policies, highlighting revenue concerns while providing key details for cardiologists and other cardiology professionals. 

As debate simmers over how best to regulate AI, experts continue to offer guidance on where to start, how to proceed and what to emphasize. A new resource models its recommendations on what its authors call the “SETO Loop.”

FDA Commissioner Robert Califf, MD, said the clinical community needs to combat health misinformation at a grassroots level. He warned that patients are immersed in a "sea of misinformation without a compass."

Trimed Popup
Trimed Popup