Another 947K patient records found to be leaked in MOVEit breach
The MOVEit data breach may be long in the rear-view mirror, but healthcare entities and patients are still feeling the ripple effects.
On Friday, the Centers for Medicare & Medicaid Services (CMS) sent out an alert notifying the public that Wisconsin Physicians Service Insurance Corporation (WPS) had inadvertently leaked personally identifiable information on patients to an unauthorized third party, potentially leading to data from Medicare beneficiaries being exposed to cybercriminals.
However, the incident where WPS's data was accessed and moved happened as a result of the MOVEit vulnerability, first discovered in May 2023 and patched a month later.
A July 2024 investigation by WPS uncovered the more than a year old leak, a statement from CMS and WPS said. Before that, it went unnoticed.
The statement from the two groups included a sample letter addressed to patients whose data was leaked. Information accessed by potentially malicious actors includes names, social security numbers, insurance information and more. However, there is no evidence the data has been used to steal identities or commit any acts of fraud.
In total, 946,801 patients are impacted, all of whom will receive a letter informing them of the breach and offering identity theft protection services as recompense.
How did it happen?
A popular data transfer service called MOVEit is used all over the country to share patient records between groups, including insurance companies, academic institutions, health systems and technology companies. A vulnerability in the service, discovered in May 2023, was exploited by third-parties who accessed data on various servers connected to MOVEit.
CMS released a statement about the issue in July 2023, then notifying around 612,000 Medicare beneficiaries their data may have been exposed to nefarious groups.
In June 2023, WPS had patched the vulnerability and conducted an investigation into potential data leak. However, it did not immediately notice certain files had actually been moved offsite, culminating in the announcement with CMS being released this Friday.
For more information, view the full notice from CMS and WPS here.