It's been over a year since news of the MOVEit breach first surfaced, and we're still receiving information about new victims.
The latest company to join the list is the Centers for Medicare & Medicaid Services (CMS), a U.S. federal agency within the Department of Health and Human Services (HHS) that oversees the country's major health care programs, including Medicare, Medicaid, and the Children's Health Insurance Program (CHIP), and thus plays a critical role in administering health coverage to millions of Americans.
The agency has confirmed that it suffered a data breach as a result of the MOVEit vulnerability, which led to the theft of sensitive data belonging to 3,112,815 individuals. Many of them are deceased or are not Medicare beneficiaries, as CMS only notified approximately 950,000 individuals.
Stolen Personally Identifiable Information
In the breach notification letter, which was also sent to HHS, CMS said the criminals took people's names, Social Security numbers, individual taxpayer identification numbers, dates of birth, mailing addresses, gender data, hospital billing numbers, dates of service, Medicare beneficiary identifiers and health insurance claim numbers.
This data is more than enough to launch identity theft or phishing attacks that could lead to even more disruptive attacks.
CMS explained that it had installed a patch on its MOVEit transfer instance in early June last year and assumed it would be secure. However, by the time the patch was installed, Cl0p agents had already extracted all the information they needed and CMS only became aware of this in May this year.
Last year, the operators of the Cl0p ransomware found a flaw in the managed file transfer service and used it to steal sensitive data from hundreds of organizations around the world, prompting the SEC to launch a full investigation.
Through Computer beeping