It’s been over a year since news of the MOVEit breach first broke, and we’re still learning about new victims.
The latest company to join the list is The Centers for Medicare & Medicaid Services (CMS), a U.S. federal agency within the U.S. Department of Health and Human Services (HHS) that oversees the nation’s major health care programs, including Medicare, Medicaid, and the Children’s Health Insurance Program (CHIP). It thus plays a critical role in managing health insurance for millions of Americans.
The agency has now confirmed that a data breach resulting from the MOVEit vulnerability has taken place, with sensitive data on 3,112,815 people. Many of them are deceased or not Medicare beneficiaries, as CMS only notified about 950,000 people.
Personally Identifiable Information Stolen
In the notice of infringementwhich was also sent to HHS, CMS said scammers took people’s names, Social Security numbers, individual taxpayer identification numbers, dates of birth, mailing addresses, gender information, hospital billing numbers, dates of service, Medicare beneficiary identification information and health insurance claim numbers.
This is more than enough data to launch identity theft or phishing attacks, which could lead to even more serious attacks.
CMS explained that it patched its MOVEit Transfer instance in early June of last year and assumed it would be safe. However, by the time the patch was deployed, Cl0p staff had already extracted all the information they needed, and CMS didn’t realize it until May of this year.
Last year, ransomware operators Cl0p discovered a flaw in its managed file transfer service and used it to steal sensitive data from hundreds of organizations worldwide, prompting the SEC to launch a wide-ranging investigation.
Via BleepingComputer