Medicaid, Medicare among victims of MOVEit data breach

More than half a million Medicare beneficiaries and several million Medicaid beneficiaries across multiple states are among the 60 million (or more) international consumers affected by one of the largest data breaches in recent history. 

The incident, first uncovered in May of 2023, centers on the MOVEit file transfer platform by Progress Software Corporation. MOVEit is used by thousands of technology customers to send and receive data. In the spring, Progress discovered a critical vulnerability in its offering that allowed an unauthorized entity to access and transfer files from the platform’s clients. 

These clients include companies contracted with the national Medicare program, as well as state Medicaid programs and other commercial insurance payers. 

As a result, more than 4 million Medicaid beneficiaries in Colorado, as well as more than 134,000 Massachusetts residents and an unconfirmed number of Medicaid members in Missouri, suffered unauthorized access to a wide range of personal information. In at least some of these states, the stolen data includes demographic data, program ID numbers and insurance information, as well as clinical/medical data such as diagnoses, lab results, and medications.  

Approximately 612,000 Medicare members are also involved in the breach, said CMS in a recent press release. The attacker also accessed personal identification and personal health information for these beneficiaries, including social security numbers, driver’s license numbers, Medicare beneficiary ID numbers, medical histories and clinical notes, provider information, and claims data. 

Performance Health Technology, which provides a variety of data management services to commercial health plans, was also affected by the breach. The company confirmed that the attacker accessed some of its customers’ data that might include demographic and Social Security data, plan ID information, diagnosis and procedure codes, and claims information. 

Each entity states that the vulnerability was addressed quickly, and that potentially affected members will be eligible for identity protection services, such as credit monitoring and identify restoration services. Victims are advised to monitor their credit reports, medical records, and financial statements for any suspect activity. 

The scale of the breach places it among the top ten largest healthcare cyberattacks in recent years, according to HIPAAJournal.com, but likely doesn’t take the top spot in 2023. That dubious honor belongs to HCA Healthcare, which disclosed a breach affecting at least 11 million patients in July.   

Multi-million-patient data breaches have been common this year, following a trend of increasingly serious attacks from cybercriminals across the globe. Since 2020, the incidence of healthcare data breaches has increased sharply, with more than 700 separate breaches occurring each year in 2021 and 2022. 

In response, federal agencies have ramped up the offensive against cybercrime by taking down malware networks, providing guidance about commonly used technologies, and launching new initiatives to strengthen the nation’s security infrastructure in the face of unrelenting assaults. 

Hospitals, health systems, healthcare payers, and data service providers working with these organizations will need to follow suit by bulking up their defenses, especially as cloud technologies become more popular across the care continuum. 

Healthcare entities should invest in robust staff training, stringent credential management, real-time monitoring and timely patching, two-factor authentication, and the use of secure protocols for medical devices, to protect infrastructure from common points of entry and reduce the likelihood of a direct breach. 

Organizations should also work closely with their contractors and vendors to ensure that these third parties are taking similarly proactive approaches to keeping data secure in an increasingly complex and vulnerable digital environment. 

Jennifer Bresnick is a journalist and freelance content creator with a decade of experience in the health IT industry.  Her work has focused on leveraging innovative technology tools to create value, improve health equity, and achieve the promises of the learning health system.  She can be reached at jennifer@inklesscreative.com.