Sensitive information belonging to nearly one million Wisconsin residents was breached during the cybercriminal campaign last year that targeted the popular MOVEit file transfer service.

The Centers for Medicare & Medicaid Services (CMS) — the federal agency that manages the Medicare program — and the Wisconsin Physicians Service Insurance Corporation (WPS) said on Friday that they have begun notifying people whose personal information leaked after hackers exploited a vulnerability in the MOVEit software.

According to the release, 946,801 people are being sent notices explaining that their names, Social Security numbers, birthdays, addresses, Medicare account numbers, health insurance information and more were leaked.

CMS said it will send victims new Medicare cards in the coming weeks. After getting the new card, those affected were asked to destroy their old ones and inform their providers that they have a new Medicare number.

The letters explain that when the original attacks were announced in May 2023, WPS — which is the Wisconsin state contractor that handles Medicare claims and other services — applied the patch for the MOVEit vulnerability and did not find evidence that their systems were accessed by the hackers. 

But “acting on new information,” in May 2024 WPS conducted another investigation of its MOVEit file transfer system with an unnamed cybersecurity company. They confirmed that before WPS had applied the patch hackers copied files from their system.

In July, WPS notified CMS that files containing personal information had been accessed between May 27 and May 31, 2023. 

The stolen data was collected while WPS was managing Medicare claims and auditing healthcare providers, and the contractor used MOVEit to send the files to CMS.

In addition to the letters, CMS is posting a notice on its website for people whose up-to-date contact information they could not find. CMS did not respond to requests for comment about whether that means more people are affected than are listed on the notice.

The federal agency said it is still investigating the incident and is working with law enforcement on the effort. 

They urged victims to sign up for the one year of free credit monitoring services and to generally watch their accounts for fraudulent activity. 

The campaign against MOVEit is considered by some experts to be one of the largest data breaches ever, with cybersecurity firm Emsisoft estimating that 2,773 organizations were impacted by the attacks on MOVEit. The records of nearly 96 million people were exposed and stolen by the group behind the exploitation. 

The incident caused international outrage as dozens of government agencies, Fortune 500 companies and more confirmed that troves of data had been stolen by hackers connected to the Clop ransomware gang.

The gang is estimated to have earned anywhere from $75 million to $100 million just from ransoms during the MOVEit campaign.

Last month, the Securities and Exchange Commission said it would not pursue enforcement action against the company behind MOVEit — Progress Software — but it is still facing approximately 144 class action lawsuits and several insurance claims, as well as other state, federal and international investigations.

CMS — which provides health coverage to more than 160 million people through Medicare, Medicaid, the Children's Health Insurance Program and the Health Insurance Marketplace — previously said last November that 330,000 Medicare recipients were impacted when the Clop hackers breached the MOVEit system used by a contractor.