Fraud Management & Cybercrime , Government , Healthcare
CMS Now Says 3.1 Million Affected by MOVEit Hack
New Estimate Is 3 Times Higher Than Number Agency Initially Publicly DisclosedThe U.S. Centers for Medicare and Medicaid Services has updated the scope of the MOVEit hacking breach last year, telling a sister agency that the software supply chain attack affected more than 3.1 million individuals - about three times the number of victims disclosed publicly earlier this month.
See Also: VMware Carbon Black App Control
CMS - a unit of the U.S. Department of Health and Human Services - reported the hacking incident on Sept. 6 to another agency of HHS - the Office for Civil Rights, which enforces HIPAA - as affecting 3,112,815 people.
But that same day, CMS issued a joint press release with Wisconsin Physicians Service Insurance Corp., saying they were notifying nearly notified nearly 947,000 individuals that their protected health information was breached involving the 2023 MOVEit attack (see: Breach Roundup: Mexico in Hacker Spotlight).
CMS in a statement to Information Security Media Group confirmed that the total number of individuals affected by the MOVEit breach is 3.1 million. "Of this number 946,801 are active Medicare beneficiaries. The balance represents individuals who are either deceased or are non-Medicare beneficiaries, whose information was collected as part of WPS' work for CMS."
Wisconsin Physicians Service, a CMS contractor that handles Medicare claims and related services, notified the agency on July 8 after conducting a review of its MOVEit file transfer system in May with help from a third-party cybersecurity firm. Data affected by the breach includes personal health information such as Medicare claims data and identifying information such as Social Security numbers and birthdates, as well as Medicare beneficiary identifiers.
As of June, security firm Emsisoft counted 2,773 organizations and nearly 95.8 million individuals as affected by the MOVEit hacking incident.
Clop - a Russian-speaking cybercriminal group also known as Cl0p - on May 27, 2023, began exploiting a zero-day vulnerability, later designated CVE-2023-34362, in Progress Software's MOVEit secure file transfer software. Four days later, Progress alerted users about the campaign and released a patch to fix the flaw.
While the extortion group didn't crypto-lock any of the MOVEit file transfer servers it targeted, the group did steal voluminous amounts of data.
Education, healthcare, financial services and professional services sectors were among the most highly affected. Besides CMS, other victims included IT consultancy Maximus, Shell Oil, healthcare software vendor Welltok, Delta Dental of California and state government agencies in Louisiana, Colorado and Oregon.
The attacks led to an estimated $75 million to $100 million windfall for Clop, paid by a few very large ransoms by affected organizations in return for a promise to not leak their stolen data, according to ransomware incident response firm Coveware (see: Data Breach Toll Tied to Clop Group's MOVEit Attack Surges).
Progress Software last month told investors that the U.S. Securities and Exchange Commission, which launched a probe into the MOVEit incident last October, has decided not to take an enforcement action against the company (see: Feds Drop Probe Into Progress Software Over MOVEit Zero-Day).