Medicare Patients’ Health Records Breached in MOVEit Hack

More than 600,000 people in the US Medicare program may have had personal data including medical records exposed through a data breach.

(Bloomberg) — More than 600,000 people in the US Medicare program may have had personal data including medical records exposed through a data breach.

The data was on systems belonging to Maximus Federal Services, a unit of Maximus Inc., that used file transfer software MOVEit, Medicare announced in a statement. A vulnerability in the MOVEit software exploited by hackers has been tied to a widening circle of data breaches at companies and public agencies.

Medicare patients may have had some of their most intimate health information exposed, including medical histories and visit notes, diagnoses, images and treatments, along with names, dates of birth, contact information and insurance data, the agency said.

Maximus alerted the Centers for Medicare and Medicaid Services to the breach on June 2, three days after it detected unusual activity on the MOVEit program, according to the agency. CMS systems were not directly affected, the agency said.

Maximus said in a statement that it’s investigating the breach and that other parts of its corporate network were unaffected.

Read More: US Health Department Ensnared by MOVEit Hacking Campaign

The agency and the company are contacting the 612,000 people affected and intend to offer free credit monitoring services and instructions on how they can replace compromised Medicare cards.

The Medicare program covers about 65 million Americans.

Maximus, based in McLean, Virginia, is a large government contractor that gets almost half its revenue from US federal agencies, according to a company filing. The company brought in nearly $2.5 billion in unclassified contract awards from CMS since 2019, according to Bloomberg Government data. A little over $2 billion of that was made up of three call center contracts — the latest set to expire in 2031.

–With assistance from William Turton and Caleb Harshberger.

(Updates with additional details on Maximus’ contracting business in final paragraph)

More stories like this are available on bloomberg.com

©2023 Bloomberg L.P.