US government agency confirms it was hit by major ransomware attack


It’s been more than a year since news of the MOVEit breach first emerged, and we’re still getting information on new victims.
The latest firm to add to the list is The Centers for Medicare & Medicaid Services (CMS), a US federal agency within the U.S. Department of Health and Human Services (HHS) that oversees the nation’s major healthcare programs, including Medicare, Medicaid, and the Children’s Health Insurance Program (CHIP), and so plays a critical role in administering health coverage to millions of Americans.
The agency has now confirmed suffering a data breach incident as a result of the MOVEit vulnerability that saw sensitive data belonging to 3,112,815 people stolen. Many of those are either deceased, or not Medicare beneficiaries, since CMS only notified roughly 950,000 people.
Personally identifiable information stolen
In the breach notification letter, which was also sent to the HHS, CMS said crooks took people’s names, social security numbers, individual taxpayer identification numbers, birth dates, mailing addresses, gender data, hospital account number, dates of service, Medicare beneficiary identifiers, and health insurance claim numbers.
This is more than enough data to mount identity theft or phishing attacks that could result in even more disruptive attacks.
CMS explained that it patched its MOVEit Transfer instance in early June last year, and assumed it would be safe. However, by the time the patch was installed, Cl0p operatives had already extracted all of the information they needed, and CMS only realized that in May this year.
Last year, ransomware operators Cl0p found a flaw in the managed file transfer service and used it to steal sensitive data from hundreds of organizations around the world, leading to the SEC launching a full investigation.
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Via BleepingComputer
More from TechRadar Pro
It’s been more than a year since news of the MOVEit breach first emerged, and we’re still getting information on new victims. The latest firm to add to the list is The Centers for Medicare & Medicaid Services (CMS), a US federal agency within the U.S. Department of Health and…
Recent Posts
- British startup claims to have developed tech that can deliver 65% lossless file compression – but you’ll have to pay big for it
- The White House’s favorite source of pro-Trump news is … the White House’s YouTube channel
- NYT Wordle today — answer and my hints for game #1476, Friday, July 4
- We confirmed Nintendo’s Switch 2 TV dock supports VRR — so why doesn’t it work with Switch 2?
- Chinese vendor launches liquid-cooled mini PC powered by AMD’s most powerful AI processor, with a built-in 400W PSU
Archives
- July 2025
- June 2025
- May 2025
- April 2025
- March 2025
- February 2025
- January 2025
- December 2024
- November 2024
- October 2024
- September 2024
- August 2024
- July 2024
- June 2024
- May 2024
- April 2024
- March 2024
- February 2024
- January 2024
- December 2023
- November 2023
- October 2023
- September 2023
- August 2023
- July 2023
- June 2023
- May 2023
- April 2023
- March 2023
- February 2023
- January 2023
- December 2022
- November 2022
- October 2022
- September 2022
- August 2022
- July 2022
- June 2022
- May 2022
- April 2022
- March 2022
- February 2022
- January 2022
- December 2021
- November 2021
- October 2021