CMS Announced Data Breach

On July 28, 2023, CMS announced their response to a data breach at one of their contractors. According to the press release “May 30, 2023, Maximus detected unusual activity in its MOVEit application. Maximus began to investigate and stopped all use of the MOVEit application early on May 31, 2023. Later that same day, the third-party application provider, Progress Software Corporation, announced that a vulnerability in its MOVEit software had allowed an unauthorized party to gain access to files across many organizations in both the government and private sectors.

Maximus notified CMS of the incident on June 2, 2023. To date, the ongoing investigation indicates that on approximately May 27 through 31, 2023, the unauthorized party obtained copies of files that were saved in the Maximus MOVEit application, but that no CMS system has been compromised. After notifying CMS, Maximus then began to analyze the files to determine which data had been affected. As part of that analysis, it was determined that those files contained some of your personal information.”

CMS estimates the MOVEit breach impacted approximately 612,000 current Medicare beneficiaries. According to the press release, “CMS and Maximus are notifying Medicare beneficiaries whose PII and/or PHI may have been exposed that they are being offered free-of-charge credit monitoring services for 24 months. This notification also contains information about how impacted individuals can obtain a free credit report, and, for those beneficiaries whose Medicare Beneficiary Identifier number may have been impacted, information on receiving a new Medicare card with a new number.” A sample letter of the letter sent to the beneficiary is available here. In the August 3, 2023, Medicare Learning Network connects article, 2023-08-03-MLNC | CMS, CMS confirmed mailing 47,000 new Medicare cards with a new MBI for those affected.

What should suppliers do?

Suppliers who communicate with their beneficiaries on frequent basis for refill request or checking for adherence to therapy should be asking the beneficiary if there has been any update to their insurance. A slight modification to that script would allow suppliers to verify if the beneficiary’s MBI has been changed. Suppliers should also monitor the claim denials for rejections from the Medicare Administrative Contractors (MAC). Pursuant to CMS Pub 100-04 (Medicare Claims Processing Manual) Chapters 1 and 27, the MACs should reject claims billed with an invalid MBI with the Group Code CO and CARC code 16 and the RARC N382. Supplier who receives the CO16 denial with remark code N382 should first verify the MBI was entered correctly on the claim. If the correct MBI was entered, supplier may either

  • Contact the beneficiary for the updated MBI or
  • If the supplier has the beneficiary’s first name, last name, DOB and social security number, they can utilize the MBI Lookup Tool on the DME MACs website

For our RCM clients, ACU-Serve will notify you of these denials as we encounter them so you can contact your beneficiaries. Once the updated MBI is provided, we will update and resubmit the impacted claims.

If you have additional questions, please reach out to your Client Success Manager or Noel Neil.

More information:

CMS Responding to Data Breach at Contractor | CMS
2023-08-03-MLNC | CMS
Medicare Claims Processing Manual