CMS Notifies Individuals Potentially Impacted by WPS Data Breach
On September 6, 2024, the Centers for Medicare and Medicaid Services (CMS) announced that CMS and its contractor, Wisconsin Physician Service Insurance Corporation (WPS), have begun the process of notifying nearly a million Medicare beneficiaries that were potentially impacted by a data breach involving WPS.
The data breach involved WPS’ use of the third-party application MOVEit. MOVEit is a file transfer application developed by Progress Software. In May 2023, a hacker group called CL0P discovered a security vulnerability that allowed the company to steal sensitive information from secure databases used by numerous governmental agencies and corporations. This included the protected health information (PHI) of Medicare beneficiaries and non-Medicare beneficiaries stored within WPS’ databases.
The notices inform affected Medicare beneficiaries of the steps they can take to protect themselves. As part of its remedial efforts, WPS is offering affected Medicare beneficiaries one year of free credit monitoring from Experian.
CMS indicated that it was not aware of any reported incidents of fraud or improper use of a Medicare Beneficiary Identifier (MBI). However, CMS noted that, if the beneficiary’s MBI was potentially impacted, they would mail a new Medicare card with a new MBI to the patient. Thus, the data breach has the potential to impact the patient demographic information you currently maintain within your billing systems. This is especially true for AAA Members that operate in Medicare jurisdictions currently administered by WPS (Iowa, Indiana, Kansas, Michigan, Missouri, and Nebraska). Specifically, the MBIs on file for existing patients may no longer be accurate. This also has the potential to impact Medicare eligibility information that you receive from other parties like hospitals, skilled nursing facilities, etc.
AAA Members will have to make a business judgment on how to address these potential concerns. One possible option would be to implement a process to confirm the MBI of existing patients prior to the submission of new claims. Another possible option might be to implement internal procedures to flag claims that are denied for an incorrect MBI as potentially related to this issue, and to then verify the patient’s correct MBI prior to resubmitting any denied claims.
Centers for Medicare and Medicaid Services (CMS), Medicare