In 2023, a cyberattack exploiting the MOVEit file transfer service exposed the sensitive data of nearly one million Wisconsin residents, affecting the Wisconsin Physicians Service Insurance Corporation (WPS), a Medicare contractor. Initially believed to be secure after applying a patch, WPS later discovered in 2024 that hackers had accessed personal information, including Social Security numbers, Medicare account details, and health insurance records before the patch was implemented.
CMS and WPS are now notifying affected individuals and offering free credit monitoring services.
The breach occurred while WPS processed Medicare claims and transmitted data using MOVEit. CMS is issuing new Medicare cards, advising recipients to destroy their old ones, and update their healthcare providers. The Clop ransomware gang, which targeted MOVEit globally, is suspected of being behind the attack.
Why It Matters: This breach exemplifies the cybersecurity risks facing organizations that rely on third-party services like MOVEit to manage sensitive data. For tech leaders, timely patching thorough post-incident reviews and ongoing system monitoring are important to catch breaches that might have gone undetected.
- Data Compromised: Exposed information includes names, Social Security numbers, addresses, Medicare account details, and health insurance data of 946,801 individuals. Notifications are being sent to those affected.
- Breach Discovery: The breach affected nearly one million Wisconsin residents, exposing highly sensitive information such as Social Security numbers, Medicare account details, and health records – posing a serious risk for identity theft and fraud.
- CMS Response: CMS is issuing new Medicare cards to affected individuals and offering one year of free credit monitoring. CMS also posts notifications for individuals whose contact information is not up-to-date.
- Broader Impacts: This attack is expected to be part of a larger global campaign by the Clop ransomware group, affecting 2,773 organizations and exposing data of nearly 96 million individuals. Progress Software, the company behind MOVEit, faces multiple class action lawsuits and investigations related to the breach.