The Centers for Medicare & Medicaid Services (CMS) and Wisconsin Physicians Service Insurance Corporation (WPS) are notifying individuals whose protected health information or other personally identifiable information (PII) may have been compromised in connection with Medicare administrative services provided by WPS. WPS is a CMS contractor that processes Medicare Parts A/B claims and related services for CMS.
The notification follows the discovery of a security vulnerability in MOVEit software, a third-party application developed by Progress Software and used by WPS for file transfer in providing services to CMS. WPS is one of many organizations in the United States affected by the MOVEit vulnerability. The security incident may have impacted PII of Medicare beneficiaries collected while processing Medicare claims, as well as PII collected to support CMS audits of healthcare providers visited by individuals who are not Medicare beneficiaries to receive healthcare services.
CMS and WPS sent written notifications to 946,801 individuals who are current Medicare beneficiaries and whose PII may have been disclosed. They informed them about the breach and explained the actions taken in response. CMS is also issuing substitute notice with similar information for individuals for whom there were insufficient or outdated contact information to provide written notification.
