Medicare Patients’ Health Records Breached in MOVEit Hack

(Bloomberg) -- More than 600,000 people in the US Medicare program may have had personal data including medical records exposed through a data breach.

Most Read from Bloomberg

• Bond Rout Saps Risk Appetite Before Jobs Report: Markets Wrap

• Fitch’s US Credit Downgrade Sparks Criticism Along With Unease

• Canada PM Justin Trudeau Splits With Wife Sophie Gregoire

• The Strange Story Behind ‘Baldur’s Gate 3,’ One of the Year’s Biggest Releases

• NYC Considers Central Park Among Sites to House Migrants as Crisis Mounts

The data was on systems belonging to Maximus Federal Services, a unit of Maximus Inc., that used file transfer software MOVEit, Medicare announced in a statement. A vulnerability in the MOVEit software exploited by hackers has been tied to a widening circle of data breaches at companies and public agencies.

Medicare patients may have had some of their most intimate health information exposed, including medical histories and visit notes, diagnoses, images and treatments, along with names, dates of birth, contact information and insurance data, the agency said.

Maximus alerted the Centers for Medicare and Medicaid Services to the breach on June 2, three days after it detected unusual activity on the MOVEit program, according to the agency. CMS systems were not directly affected, the agency said.

Maximus said in a statement that it’s investigating the breach and that other parts of its corporate network were unaffected.

Read More: US Health Department Ensnared by MOVEit Hacking Campaign

The agency and the company are contacting the 612,000 people affected and intend to offer free credit monitoring services and instructions on how they can replace compromised Medicare cards.

The Medicare program covers about 65 million Americans.

Maximus, based in McLean, Virginia, is a large government contractor that gets almost half its revenue from US federal agencies, according to a company filing. The company brought in nearly $2.5 billion in unclassified contract awards from CMS since 2019, according to Bloomberg Government data. A little over $2 billion of that was made up of three call center contracts — the latest set to expire in 2031.

--With assistance from William Turton and Caleb Harshberger.

(Updates with additional details on Maximus’ contracting business in final paragraph)

Most Read from Bloomberg Businessweek

• Influencers Built Up This Wellness Startup—Until They Started Getting Sick

• AI in Hollywood Has Gone From Contract Sticking Point to Existential Crisis

• Amazon Unveils Biggest Grocery Overhaul Since Buying Whole Foods

• With AI Booming, Gary Gensler Wants to Keep Finance Safe for Humans

• Honoring the Enslaved Man Who Made Jack Daniel’s First Whiskey

©2023 Bloomberg L.P.