Nearly 1 Million More Medicare Beneficiaries May Be Affected in Year-Old Data Breach
How to protect yourself if Medicare says your personal information has been exposed.
The Centers for Medicare & Medicaid Services (CMS) is notifying almost a million beneficiaries whose personal information may have been compromised in a contractor’s data breach last year.
The contractor, Madison-based Wisconsin Physicians Service Insurance Corp., processes Medicare claims for CMS in six states: Illinois, Iowa, Kansas, Michigan, Missouri and Nebraska. But beneficiaries elsewhere could be affected if they used providers in those states. The notification to 946,801 Medicare beneficiaries comes more than a year after a security vulnerability was discovered in file-transfer software called MOVEit.
Wisconsin Physicians Service collects information such as Medicare and Social Security numbers to manage Medicare claims and audit health care providers. The Medicare beneficiaries’ personally identifiable information was exposed between May 27 and May 31, 2023, but the company patched its MOVEit software and initially thought none of its records had been part of the data breach.
New review unearthed previous copying of records
In May of this year, Wisconsin Physicians Service again reviewed its MOVEit file transfer system with help from a cybersecurity firm, discovering that files had been copied before the patch was put in place. Portions of the files had no personal information, but other parts evaluated July 8 were determined to include information valuable to hackers:
- Name
- Address
- Birth date
- Gender
- Hospital account number
- Medicare or health insurance claim number
- Social Security number or taxpayer identification number
In August 2023, CMS said the MOVEit data breach had affected 612,000 Medicare beneficiaries. Other commercial and government customers worldwide also use the file transfer application.
“The Centers for Medicare & Medicaid Services have issued … multiple notices in July 2023 related to third-party administrators who were users of the MOVEit transfer software,” says James E. Lee, chief victims officer for the San Diego-based Identity Theft Resource Center. “This is the first breach notice related to Wisconsin Physicians Service Insurance Corp., and it too is linked to the MOVEit breach from last year.”
CMS and Wisconsin Physicians Service say they are not aware of reports of identity fraud or improper use of the personal information as a direct result of the breach but are mailing notifications to the Medicare beneficiaries telling them of steps they can take to protect their financial health.
How to protect your personal information
You can take steps to help monitor your Medicare and credit record and further protect your privacy:
- Enroll in free credit monitoring. Wisconsin Physicians Service is offering 12 months of free credit monitoring and other services from Experian to people affected. The notice includes steps for enrolling; you do not need to provide your credit card number to sign up.
- Order a free credit report. Under federal law, you can order one free credit report every 12 months from each of the three major credit agencies — Equifax, Experian and TransUnion — or by calling 877-322-8228. But you can check those reports every week online. Review the reports for suspicious activity and check them periodically.
Report incorrect information to the credit reporting company. If you believe your information is being misused, contact local law enforcement and file a complaint to the Federal Trade Commission.
- Consider freezing your credit. “Credit monitoring is helpful, but it only tells you what has happened,” Lee says. “It does not stop new credit accounts from being opened in your name.” By freezing your credit, you limit access to your credit history and make it more difficult for identity thieves to open new accounts in your name.
- Use your current Medicare card for now. If your Medicare number was affected, CMS will mail a new Medicare card to you with a new number in the next few weeks. In the meantime, you can use your current card. When the new card arrives, destroy your old card and let your doctors and other providers know about the new card number.
- Review your Medicare claims notices. “In health care breaches, it’s important that victims review their benefit statements to determine if anyone has accessed medical services under their name,” Lee says. You receive a Medicare Summary Notice every three months reporting the Medicare claims made in your name.
You can review Medicare claims more quickly using your online Medicare account. Contact the doctor’s office about any problems and report claims you didn’t make to Medicare at 800-633-4227. You can also contact the Senior Medicare Patrol, which receives grants from the federal government and has branches in each state to help detect and report Medicare fraud. Find contact information for your state on the SMP resource center website or by calling 877-808-2468.
For a referral to an insurance agent to assist with your Medicare claims and how to protect your personal information, contact a certified elder law attorney(*), such as Linda Strohschein and her team at Strohschein Law Group. To set up an appointment, contact Strohschein Law Group at 630-300-0627.
This information provided by Strohschein Law Group is general in nature and is not intended to be legal advice, nor does it constitute a legal relationship. Please consult an attorney for advice regarding your individual situation.
(*) The Supreme Court of Illinois does not recognize certifications of specialties in the practice of law and the CELA designation is not a requirement to practice law in Illinois.