Nearly 1 million Medicare beneficiaries in Wisconsin are the latest potential breach victims as the list of MOVEit victims coming forward continues to grow.

Progress Software, the developer of MOVEit, discovered and disclosed the breach on May 31, 2023, but it wasn’t until recently that the Wisconsin Physicians Service Insurance Corporation (WPS)—a Centers for Medicare & Medicaid Services contractor handling some Medicare claims and related services—realized that the personal information of thousands of beneficiaries had been compromised. CMS and WPS have mailed notifications to 946,801 people whose information may have been exposed, detailing necessary actions. 

Exposed information could include:

• Social Security Number or Individual Taxpayer Identification Number
• Name
• Date of Birth
• Mailing Address
• Gender
• Hospital Account Number
• Dates of Service
• Medicare Beneficiary Identifier (MBI) and/or Health Insurance Claim Number

Medicare beneficiaries whose data may have been exposed are being offered free credit monitoring for 24 months, along with information on how to receive one of their annual free credit reports and whether they need to use a new Medicare card.

The Securities and Exchange Commission said it would not pursue enforcement action against Progress Software, but it is still facing approximately 144 class action lawsuits and several insurance claims, as well as other state, federal and international investigations.

The MOVEit cyberattack, one of the largest and most significant of 2023, began when ransomware gang Clop exploited a critical zero-day vulnerability in MOVEit’s infrastructure. This allowed the malicious actors to break into multiple company networks and steal data. The vulnerability was flagged by security researchers and the US government on June 1. The US Cybersecurity and Infrastructure Security Agency (CISA) urged all MOVEit clients to check for indications that malicious actors had gained unauthorized access to their networks over the past 30 days and to download and install the software patch released by MOVEit to mitigate the issue. Five total patches were released between May 31 and July 5, 2023.

In June 2023 the CISA and the FBI announces a US$10 million reward for “information linking the Clop gang or any other malicious cyber actors targeting US critical infrastructure to a foreign government”.Cybersecurity firm Emsisoft estimates that by July 31, 546 organizations and nearly 37.7 million individuals have been impacted by the vulnerability, with about half of those affected in the finance and professional services/education sectors.

Several healthcare providers have been affected by the MOVEit data breach. These include:

• UT Southwestern Medical Center: A leading academic medical center in Dallas, Texas, known for groundbreaking research and care.
• UofLHealth: A comprehensive health provider based in Louisville, Kentucky, offering a wide range of services.
• Harris Health System: A public healthcare system serving Harris County, Texas, providing care for underserved populations.
• Johns Hopkins All Children’s Hospital: A renowned children’s hospital in Florida.
• Johns Hopkins Medicine: A top global medical institution known for innovative research and patient care.
• CareSource: A major Ohio-based healthcare provider serving over 3.2 million members.
• Baptist Health System: A prominent Alabama healthcare provider, impacted by sensitive patient data breaches.
• OneBlood: A nonprofit blood center.

Total damages globally of the MOVEit breach are upwards of $12 billion.