The Department of Health and Human Services (HHS) and the Centers for Medicare & Medicaid Services (CMS) have responded to a May 2023 data breach in Progress Software’s MOVEit Transfer software on the corporate network of Maximus Federal Services, Inc. (Maximus), a contractor to the Medicare program, that involved Medicare beneficiaries’ personally identifiable information (PII) and/or protected health information (PHI). No HHS or CMS systems were impacted. Maximus is among the many organizations in the United States that have been impacted by the MOVEit vulnerability. This week, CMS and Maximus are sending letters to individuals who may have been impacted notifying them of the breach, and explaining actions being taken in response. CMS estimates the MOVEit breach impacted approximately 612,000 current Medicare beneficiaries.
