CMS is notifying nearly a million Medicare beneficiaries of a data breach in which a hacker copied patients' files.

The breach originated with Wisconsin Physicians Service Insurance Corp., an administrative services contractor for CMS that used the MOVEit file transfer software from Progress Software. MOVEit had a security vulnerability in 2023 that left its clients' data susceptible to hackers.

Wisconsin Physicians Service Insurance Corp.'s original investigation in 2023 did not find that any files were stolen. However, in May, acting on new information the company reinvestigated and determined that an unauthorized party had copies filed before the vulnerability was fixed.

CMS and the contractor are mailing written notifications to 946,801 Medicare beneficiaries whose personally identifiable information may have been compromised in the incident. The breached data included names, addresses, Social Security numbers, dates of birth, hospital account numbers, and dates of services. CMS will be mailing new Medicare cards to patients whose Medicare Beneficiary Identifiers were exposed.