You may have recently received a letter in the mail from a company called Maximus, informing you of a “security incident” regarding your personal information. Given the prevalence of scams and data breaches these days, it’s natural to be suspicious about unsolicited notifications like these.
So is the Maximus letter legitimate or a scam attempt? Should you be concerned about this data breach? I’ll provide a complete breakdown so you can understand exactly what happened and what actions you should take.
What is Maximus?
Maximus is a Reston, Virginia based corporation that provides business process services to government health and human services agencies across the US. They handle various administrative and back-office functions for programs like Medicare, Medicaid, the Health Insurance Marketplace, child support, and more.
Essentially, they are a contractor that works with government entities. Maximus has over 34,000 employees and reported $3.46 billion in revenue in 2022.
The Data Breach Incident
In May 2023, Maximus detected unauthorized third-party access to some of its internal systems. An investigation revealed that files were improperly accessed through a vulnerability in MOVEit file transfer software.
MOVEit is produced by Progress Software and widely used to share large files across organizations. A flaw in the program allowed hackers to breach the networks of numerous companies and agencies.
The specific data breach impacting Maximus provided criminals access to Medicare beneficiary data stored on their corporate network.
What Data Was Exposed?
Maximus determined the accessed files contained personally identifiable information (PII) and protected health information (PHI) belonging to around 612,000 Medicare recipients.
The exposed data encompassed names, Social Security numbers, Medicare ID numbers, driver’s license details, addresses, phone numbers, email addresses, and even detailed medical records.
This extraordinarily sensitive information in criminal hands presents considerable identity theft and fraud risks.
Who Is Sending the Letters?
The Maximus security incident notification letters are legitimate correspondences authorized by both Maximus and the Centers for Medicare and Medicaid Services (CMS).
CMS is the federal agency overseeing Medicare and requires contractors like Maximus to report data breaches. Both organizations are now contacting impacted individuals by letter about the unauthorized data access.
Contents of the Data Breach Notice Letter
If your information was involved in the Maximus MOVEit files accessed by hackers, here is what the letter will cover:
- What data elements belonging to you were potentially stolen
- What actions Maximus has taken since detecting the breach
- Enrollment information for 24 months of free credit monitoring and identity theft protection services through Experian
- How to obtain a copy of your credit report to check for suspicious activity
- Details about getting a replacement Medicare card with a new ID number if your existing Medicare number was compromised
- Phone numbers to call if you have any additional questions or concerns
The letter makes clear that no CMS computer systems were directly infiltrated – this involved a third-party contractor network. But CMS systems ultimately contain beneficiary data that was compromised.
Key Steps to Take If You Receive the Notification
If you get a Maximus data breach letter regarding the Recent MOVEit security incident, here are the most important actions to take:
- Enroll in the free Experian credit monitoring services for two years. This will help detect any misuse of your personal information for opening fraudulent accounts.
- Check your credit reports from Equifax, Experian, and TransUnion. Look for accounts or inquiries you don’t recognize and report any suspicious activity. Getting ahead of identity theft is crucial. You can access free annual credit reports or purchase a copy.
- If you have additional questions, call the Experian support line provided in the letter. Experian agents are familiar with the Maximus breach details and can explain protective actions.
- Take advantage of the offer for a replacement Medicare card with a new Medicare ID number not associated with this incident. This will prevent medical identity theft.
- Contact the Federal Trade Commission if you discover your identity or data has been misused. File an identity theft report with your local law enforcement agency as well.
Keep monitoring your credit and financial accounts closely for the next couple of years to catch fraudulent activity early. Unfortunately data exposed in breaches can end up for sale on the dark web or circulate amongst cybercriminal groups.
Is the Maximus Notification Letter a Scam?
No, the letter does not appear to be a scam. This is based on Maximus being a real government contractor, the alignment of breach details with the May MOVEit exploits, corroborating news sources regarding this incident, and the involvement of CMS in sending notices.
The Better Business Bureau listing for Maximus supports it being an established company as well.
However, scammers are always looking to exploit the latest headlines. Carefully inspect any correspondence about the breach to validate it’s legitimate.
Warning signs of a fraudulent attempt could include:
- Requests for sensitive information upfront
- Vague, threatening, or urgent language
- Poor grammar/spelling errors
- Links to sketchy websites
- An unknown sender address
As long as the letter aligns with the known facts of the Maximus breach and comes from a reliable source, it can be trusted. But stay cautious of contact attempts surrounding the incident which don’t seem legitimate.
Maximus Reviews and Complaints
While the data breach notification itself appears valid, it does call Maximus’ cybersecurity standards into question. Government agencies and contractors that handle citizen data have an immense responsibility to protect that sensitive information.
According to cybersecurity rating firm SecurityScorecard, Maximus only scores 549 out of a maximum preparedness score of 950. For comparison, top performers in their industry average around 781.
This indicates below-average diligence in crucial security areas like network protection, application security, malware prevention, social engineering prevention, employee behavior monitoring and more.
Some concerning historical indicators from Maximus as a federal contractor:
✅ They have experienced multiple data breaches over the past decade, including a 2015 incident impacting 80,000 people and a 2018 breach leaking data on 45,000 disability applicants.
✅ In 2007, Maximus paid $30.5 million to settle a False Claims Act lawsuit regarding allegations of improper Medicaid billing in Wisconsin. There are also subsequent settlement paid by maximum after that.
✅ Numerous complaints posted on sites like Revdex, ComplaintsBoard, and the BBB mention issues like billing discrepancies, administrative mistakes related to Medicaid/Medicare applications, benefit denial disputes, and misleading direct mail advertisements.
For a contractor handling millions of sensitive health records and assisting with essential public services, these recurring problems are unacceptable.
Maximus Response to the Breach
In defense of Maximus, as soon as the MOVEit vulnerability was uncovered they took actions including:
- Completely shutting down the affected software to prevent further unauthorized access
- Working with Progress Software to patch the weaknesses in MOVEit exploited by hackers
- Notifying CMS and coordinating a response per agency protocols
- Investigating the breach details through computer forensic analysts
- Sending notification letters to impacted individuals explaining the situation and offering protective services like credit monitoring
They also expressed regret to affected individuals in the notice letter:
“We take the privacy and security of your Medicare information very seriously. CMS and Maximus apologize for the inconvenience this privacy incident might have caused you.”
Nonetheless – as a contractor handling vast healthcare data, Maximus failed at preventing a major breach despite advanced warning about MOVEit flaws circulating for weeks beforehand.
Government agencies must only partner with the most security-focused and diligent vendors to avoid similar recurrent issues. Healthcare data deserves the strongest possible safeguards.
The Big Picture on the Maximus and MOVEit Breaches
The hack on Maximus systems in May 2023 represents one incident in a tidal wave of cyber attacks exploiting the MOVEit file transfer app this year. Victim organizations include:
- 10 state governments (Maryland, California, Wisconsin, etc)
- 130+ university networks
- Numerous federal agencies like the Office of Personnel Management, the Department of Veterans Affairs, the Department of Energy, and the Bureau of Land Management
- Major companies such as Airbnb, Uber, and Coinbase
Essentially, inadequate supply chain risk management related to a widely-used software product allowed devastating access into both public and private sector networks.
The cyber criminal enterprise behind these coordinated exploits? A Russian-language ransomware syndicate called LockBit 3.0.
In an era where new data breaches break headlines every week, maintaining vigilance around protecting your sensitive information is crucial. That means being cautious when unsolicited contact occurs referencing your personal data.
The letter from Maximus notifying Medicare beneficiaries regarding their May 2023 MOVEit breach does check out as legitimate. If you receive this correspondence, take actions like enrolling in credit monitoring and placing a fraud alert on your credit file.
But the entire incident represents a cybersecurity and risk management failure at Maximus. For a major government contractor entrusted with mass healthcare data, allowing a damaging breach of this nature is unacceptable.
Any organization sharing sensitive citizen data bears responsibility for security failures ultimately impacting individuals. This Maximus notification letter should prompt both pointed questions from impacted healthcare consumers as well as accountability from culpable institutions.