Federal Agency Warns Thousands of Medicare Recipients May Have Had Data Stolen

Federal Agency Warns Thousands of Medicare Recipients May Have Had Data Stolen
A health care professional prepares to enter a COVID-19 patient's room in a file photo. Megan Jelinger/AFP via Getty Images
Jack Phillips
Updated:
0:00

The federal agency that manages Medicare warned that a subcontractor suffered a data breach that might involve “beneficiaries’ personally identifiable information” or “protected health information.”

In a statement issued on Wednesday, the Centers for Medicare & Medicaid Services (CMS) announced that a federal subcontractor, Healthcare Management Solutions, suffered the breach. No CMS systems were impacted and no data around Medicare claims were involved.

Information sourced by CMS suggests that Healthcare Management Solutions “acted in violation of its obligations to CMS and that the incident involving” the company could impact as many as 254,000 Medicare “beneficiaries’ personally identifiable information out of the over 64 million beneficiaries that CMS serves,” according to a news release.

The 254,000 impacted individuals represent 0.4 percent of Medicare’s approximately 64 million beneficiaries.

“The safeguarding and security of beneficiary information is of the utmost importance to this Agency,” CMS Administrator Chiquita Brooks-LaSure said in a statement. “We continue to assess the impact of the breach involving the subcontractor, facilitate support to individuals potentially affected by the incident, and will take all necessary actions needed to safeguard the information entrusted to CMS.”

Data that may have been breached include recipients’ names, addresses, Social Security numbers, phone numbers, Medicare beneficiary number, banking information such as account and routing numbers, and Medicare enrollment and premium information, according to CMS.

“At this time,” CMS added, “we’re not aware of any reports of identity fraud or improper use of your information as a direct result of this incident.”

“However, out of an abundance of caution we are issuing you a new Medicare card with a new number,” the agency said. “CMS will mail the new card to your address in the coming weeks. In the meantime, you can continue to use your existing Medicare card.”

An IT researcher shows on a giant screen a computer infected by a ransomware at a laboratory in Rennes, France, on Nov. 3, 2016. (Damien Meyer/AFP via Getty Images)
An IT researcher shows on a giant screen a computer infected by a ransomware at a laboratory in Rennes, France, on Nov. 3, 2016. Damien Meyer/AFP via Getty Images

Once the new card is sent, the agency recommends that Medicare recipients follow instructions on the new card, destroy the old Medicare card, and inform providers of a new Medicare number.

“When the incident was reported, we immediately started an investigation, working with the contractor and cybersecurity experts to identify what personal information, if any, might have been compromised. CMS is continuing to investigate this incident and will continue to take all appropriate actions to safeguard the information entrusted to CMS,” it said.

In October, Healthcare Management Solutions reported that it was targeted by a ransomware attack on its corporate systems, according to the CMS News release.

“On October 9, 2022, CMS was notified that the subcontractor’s systems had been subject to a cybersecurity incident but CMS systems were not involved,” the agency said. “As more information became available, on October 18, 2022, CMS determined with high confidence that the incident potentially included personally identifiable information and protected health information for some Medicare enrollees. Since then, CMS has been working diligently with the contractor to determine what information and which individuals may have been impacted.”

Free credit-monitoring services are also being offered to the impacted Medicare recipients, CMS said. Letters that are being sent out to impacted people include steps on how to sign up.

Data Breaches

During the first half of this year, some 53 million people in the United States were impacted by data breaches, according to data website Statista. Many of those beaches involved manufacturing, financial services, and healthcare, it found.

A report issued late last year found that global ransomware attacks increased by 151 percent in the first half of 2021 compared with 2020 and hackers are set to become increasingly aggressive.

Canada’s Communications Security Establishment (CSE), citing attacks on North American health facilities and a U.S. pipeline, said the scale and scope of ransomware operators represented both security and economic risks to Canada and its allies. It was referring to the ransomware attack that took down the Colonial Pipeline that distributes petroleum products across the United States for about a week in May 2021.

“Ransomware operators will likely become increasingly aggressive in their targeting, including against critical infrastructure,” the report said. “Ransom payments are likely reaching a market equilibrium, where cybercriminals are becoming better at tailoring their demands to what their victims are most likely to pay,” CSE added.

Actors in China, Iran, and Russia posed the most significant threat, the report also found.

Reuters contributed to this report.
Jack Phillips
Jack Phillips
Breaking News Reporter
Jack Phillips is a breaking news reporter who covers a range of topics, including politics, U.S., and health news. A father of two, Jack grew up in California's Central Valley. Follow him on X: https://twitter.com/jackphillips5
twitter
Related Topics