MOVEit Data Breach Affects Over 3 Million, Sparks Investigations and Lawsuits

In early September, the Centers for Medicare & Medicaid Services (CMS) and the Wisconsin Physicians Service Insurance Corporation (WPS) reported that the number of victims affected by the MOVEit data breach had surpassed 3 million.

According to Jonathan Greig from The Record, an additional 946,801 individuals were notified that their personal information—including names, Social Security numbers, birth dates, addresses, Medicare account numbers, and health insurance details—was exposed in the breach.

A CMS spokesperson provided further breakdowns, revealing that the affected individuals include approximately 1.9 million non-Medicare recipients and 1.2 million Medicare beneficiaries. Of the Medicare group, around 247,000 are deceased, while 946,801 are still living.

Despite its name, WPS processes Medicare claims in Wisconsin, Illinois, Iowa, Kansas, Michigan, Missouri, and Nebraska. A WPS spokesperson clarified that beneficiaries outside these states might also be affected if they receive care from providers in these regions. When the breach was announced in May 2023, WPS stated that there was no evidence hackers had accessed its systems.

The MOVEit data breach, involving a managed file transfer software, is one of the largest on record. Approximately 2,773 organizations, ranging from government agencies to businesses of various sizes, were impacted. The Clop ransomware gang responsible for the attack is estimated to have extorted between $75 and $100 million in ransom payments.

In August, the Securities and Exchange Commission (SEC) announced that it would not take enforcement action against Progress Software, the developer of MOVEit. However, the company still faces state, federal, and international investigations and over 140 class action lawsuits.