Skip to main content

CMS Notifies Individuals Potentially Impacted by WPS Data Breach

On September 6, 2024, the Centers for Medicare and Medicaid Services (CMS) announced that CMS and its contractor, Wisconsin Physician Service Insurance Corporation (WPS), have begun the process of notifying nearly a million Medicare beneficiaries that were potentially impacted by a data breach involving WPS.

The data breach involved WPS’ use of the third-party application MOVEit.  MOVEit is a file transfer application developed by Progress Software.  In May 2023, a hacker group called CL0P discovered a security vulnerability that allowed the company to steal sensitive information from secure databases used by numerous governmental agencies and corporations.  This included the protected health information (PHI) of Medicare beneficiaries and non-Medicare beneficiaries stored within WPS’ databases.

The notices inform affected Medicare beneficiaries of the steps they can take to protect themselves.  As part of its remedial efforts, WPS is offering affected Medicare beneficiaries one year of free credit monitoring from Experian.

CMS indicated that it was not aware of any reported incidents of fraud or improper use of a Medicare Beneficiary Identifier (MBI).  However, CMS noted that, if the beneficiary’s MBI was potentially impacted, they would mail a new Medicare card with a new MBI to the patient.  Thus, the data breach has the potential to impact the patient demographic information you currently maintain within your billing systems.  This is especially true for AAA Members that operate in Medicare jurisdictions currently administered by WPS (Iowa, Indiana, Kansas, Michigan, Missouri, and Nebraska).  Specifically, the MBIs on file for existing patients may no longer be accurate.  This also has the potential to impact Medicare eligibility information that you receive from other parties like hospitals, skilled nursing facilities, etc.

AAA Members will have to make a business judgment on how to address these potential concerns.  One possible option would be to implement a process to confirm the MBI of existing patients prior to the submission of new claims.  Another possible option might be to implement internal procedures to flag claims that are denied for an incorrect MBI as potentially related to this issue, and to then verify the patient’s correct MBI prior to resubmitting any denied claims.

Centers for Medicare and Medicaid Services (CMS), Medicare


Brian Werfel

Brian S. Werfel, Esq. is a partner in Werfel & Werfel, PLLC, a New York based law firm specializing in Medicare issues related to the ambulance industry. Brian is a Medicare Consultant to the American Ambulance Association, and has authored numerous articles on Medicare reimbursement, most recently on issues such as the beneficiary signature requirement, repeat admissions and interrupted stays. He is a frequent lecturer on issues of ambulance coverage and reimbursement. Brian is co-author of the AAA’s Medicare Reference Manual for Ambulance, as well as the author of the AAA’s HIPAA Reference Manual. Brian is a graduate of the University of Pennsylvania and the Columbia School of Law. Prior to joining the firm in 2005, he specialized in mergers & acquisitions and commercial real estate at a prominent New York law firm. Werfel & Werfel, PLLC was founded by David M. Werfel, who has been the Medicare Consultant to the American Ambulance Association for over 20 years.

Stay In Touch!

By signing up, you agree to the AAA Privacy Policy & Terms of Use