Maximus data breach may have exposed information of 612,000 Medicare recipients, CMS says

The federal contractor in a Wednesday SEC filing disclosed that it was hit by the MOVEit ransomware attack in May.
The US Department of Health and Human Services building is seen in Washington, DC, on July 22, 2019. (Photo by Alastair Pike / AFP) (Photo by ALASTAIR PIKE/AFP via Getty Images)

A data breach that hit the corporate network of federal contractor Maximus earlier this year may have exposed the personal information of as many as 612,000 Medicare recipients, according to the Centers for Medicare and Medicaid Services.

The Department of Health and Human Services (HHS) agency said in a statement Friday it is working with the Reston, Virginia-headquartered company to notify by letter any individuals who may have been affected by the breach.

“The Department of Health and Human Services (HHS) and the Centers for Medicare & Medicaid Services (CMS) have responded to a May 2023 data breach in Progress Software’s MOVEit Transfer software on the corporate network of Maximus Federal Services, Inc. ), a contractor to the Medicare program, that involved Medicare beneficiaries’ personally identifiable information (PII) and/or protected health information (PHI),” CMS said.

The agency’s statement comes after Maximus in a Wednesday SEC filing revealed that its corporate network was affected by the MOVEit ransomware attack, discovered in May, and that between 8 million and 11 million individuals may have had their information compromised.


In response to the incident, CMS and Maximus are sending letters to any Medicare recipients whose information may have been compromised and will offer free-of-charge credit monitoring services for 24 months.

No CMS or HHS IT systems were compromised as a result of the cyberattack.

Maximus is one of hundreds of private and public sector entities that have so far been affected by the MOVEit ransomware attack, which targeted customers of Progress Software’s file transfer tool.

Other companies compromised include energy giant Shell and U.S.-based First Merchants Bank. Cybersecurity company Telos, which provides services to the Department of Defense and the Department of State, has also been affected.

A Maximus spokesperson told FedScoop in a statement that “[d]ata privacy and security are among our top priorities, and we are committed to protecting the data entrusted to us.”


“On May 31, Progress Software Corporation announced a critical security vulnerability in MOVEit, their managed file transfer software, which is used by many companies, including Maximus. We quickly took measures to respond to the situation and are thoroughly investigating the issue,” the statement continued. “To be clear, we have not identified any impact from the MOVEit vulnerability on other parts of our corporate network and remain confident in the integrity of the network.”

The company added: “We have been working with the subset of our customers who were using MOVEit as part of their workflows and continue to provide updates and support to them as our investigation proceeds. We continue to closely monitor our systems for any unusual activity.”

Latest Podcasts