In May 2023, a significant data breach occurred at Maximus Federal Services, a contractor to the Medicare program. The breach involved unauthorized access to sensitive information of Medicare beneficiaries through a vulnerability in the MOVEit Transfer software application. As a result, personal and health-related data of an undisclosed number of individuals were compromised.

How many accounts were compromised?

The breach impacted data related to approximately 10 million individuals.

What data was leaked?

The data exposed in the breach included health insurance claim numbers, dates of birth, medical diagnoses, treatment information, Social Security numbers, and other personally identifiable information.

How was Maximus hacked?

The unauthorized access to sensitive information at Maximus Federal Services occurred through a zero-day flaw in the MOVEit Transfer software application. Hackers exploited this vulnerability to gain access to files across numerous organizations in both government and private sectors. Upon detecting unusual activity, Maximus promptly began an investigation, took the MOVEit application offline, and applied software patches to address the vulnerability. The stolen data included Social Security numbers, protected health information, and other personal details.

Maximus's solution

In response to the hack, Maximus took several measures to secure its platform and prevent future incidents. This included initiating an investigation upon detecting unusual activity, taking the MOVEit application offline, and applying software patches to address the vulnerability. Maximus also notified law enforcement and collaborated with cybersecurity experts during the investigation. To further protect affected individuals, Maximus, along with the Centers for Medicare & Medicaid Services, sent letters to potentially impacted Medicare beneficiaries, offering free-of-charge credit monitoring services for 24 months and providing information on obtaining a free credit report and a new Medicare card with a new number, if necessary.

How do I know if I was affected?

Maximus, in collaboration with the Centers for Medicare & Medicaid Services, has notified individuals believed to be affected by the breach. If you are a Medicare beneficiary and have not received a notification, you may visit Have I Been Pwned to check if your credentials were compromised.

What should affected users do?

In general, affected users should:

1. Change Your Passwords: Immediately update your passwords for any accounts that may have been compromised. Make sure the new passwords are strong and unique, not previously used on any other platform.

2. Reset Passwords for Other Accounts: If you've used the same or similar passwords for other online accounts, reset those as well. This is crucial as attackers often try using stolen passwords on multiple sites.

3. Enable Two-Factor Authentication (2FA): Activate 2FA on any affected accounts. Consider enabling this additional security feature on all other important online accounts to significantly reduce the risk of unauthorized access.

4. Monitor Your Accounts: Keep an eye on your accounts for any suspicious activity and report any unauthorized transactions or changes immediately.

For more specific help and instructions related to Maximus's data breach, please contact MAXIMUS | NYSS Chat Support Portal directly.

Where can I go to learn more?

If you want to find more information on the Maximus data breach, check out the following news articles:

• CMS Notifies Additional Individuals Potentially Impacted by MOVEit Data Breach

• CMS Responding to Data Breach at Contractor

• Notice from Maximus about MOVEit Data Security Incident