Another 947K patient records found to be leaked in MOVEit breach

The MOVEit data breach may be long in the rear-view mirror, but healthcare entities and patients are still feeling the ripple effects. 

On Friday, the Centers for Medicare & Medicaid Services (CMS) sent out an alert notifying the public that Wisconsin Physicians Service Insurance Corporation (WPS) had inadvertently leaked personally identifiable information on patients to an unauthorized third party, potentially leading to data from Medicare beneficiaries being exposed to cybercriminals. 

However, the incident where WPS's data was accessed and moved happened as a result of the MOVEit vulnerability, first discovered in May 2023 and patched a month later. 

A July 2024 investigation by WPS uncovered the more than a year old leak, a statement from CMS and WPS said. Before that, it went unnoticed.

The statement from the two groups included a sample letter addressed to patients whose data was leaked. Information accessed by potentially malicious actors includes names, social security numbers, insurance information and more. However, there is no evidence the data has been used to steal identities or commit any acts of fraud. 

In total, 946,801 patients are impacted, all of whom will receive a letter informing them of the breach and offering identity theft protection services as recompense. 

How did it happen?

A popular data transfer service called MOVEit is used all over the country to share patient records between groups, including insurance companies, academic institutions, health systems and technology companies. A vulnerability in the service, discovered in May 2023, was exploited by third-parties who accessed data on various servers connected to MOVEit. 

CMS released a statement about the issue in July 2023, then notifying around 612,000 Medicare beneficiaries their data may have been exposed to nefarious groups. 

In June 2023, WPS had patched the vulnerability and conducted an investigation into potential data leak. However, it did not immediately notice certain files had actually been moved offsite, culminating in the announcement with CMS being released this Friday.

For more information, view the full notice from CMS and WPS here

Chad Van Alstin Health Imaging Health Exec

Chad is an award-winning writer and editor with over 15 years of experience working in media. He has a decade-long professional background in healthcare, working as a writer and in public relations.

Around the web

When regulating AI-equipped medical devices, the FDA might take a page from the Department of Transportation’s playbook for overseeing AI-equipped vehicles. These run the gamut from assisting human drivers to fully taking the wheel. 

Kit Crancer, RBMA board member, speaks with Radiology Business about key legislative developments on the Hill that will affect the specialty. 

California-based Acutus Medical has said its ongoing agreement to manufacture and distribute left-heart access devices for Medtronic is the company's only source of revenue.