Federal agency warns data of thousands of Medicare recipients could be stolen

The federal agency that administers Medicare has warned that a subcontractor has suffered a data breach that could involve “personally identifiable information of beneficiaries” or “protected health information.”

In a statement released Wednesday, the Centers for Medicare and Medicaid Services (CMS) announced that a federal subcontractor, Healthcare Management Solutions, had been infringed. No CMS systems were affected and no Medicare claims data was included.

Information obtained from CMS indicates that Healthcare Management Solutions “acted in violation of its obligations to CMS and that an incident involving” the company could affect up to 254,000 personally identifiable information of Medicare beneficiaries among the more than 64 million beneficiaries it serves. CMS, according to a press release.

The 254,000 affected individuals represent 0.4 percent of the roughly 64 million Medicare beneficiaries.

“The protection and security of beneficiary information is of the utmost importance to this agency,” CMS Director Chiquita Brooks-LaSure said in a statement. “We continue to assess the impact of the breach involving the subcontractor, facilitate the provision of support to individuals potentially affected by the incident, and will take all necessary measures to protect information entrusted to CMS.”

Data that may have been breached includes recipient names, addresses, Social Security numbers, phone numbers, Medicare beneficiary number, and banking information such as account numbers, routing, Medicare enrollment, and token information, according to the CMS.

CMS added, “At this time, we are not aware of any reports of identity fraud or improper use of your information as a direct result of this incident.”

“However, out of an abundance of caution, we are issuing you a new Medicare card with a new number,” the agency said. CMS will mail the new card to your address in the coming weeks. In the meantime, you can continue to use your current Medicare card.

An IT researcher displays on a giant screen a computer infected with ransomware in a laboratory in Rennes, France, November 3, 2016. (Damien Meyer / AFP via Getty Images)

Once the new card is sent, the agency recommends that Medicare recipients follow the instructions on the new card, destroy the old Medicare card, and inform providers of the new Medicare number.

“When the incident was reported, we immediately launched an investigation, working with the contractor and cybersecurity experts to determine what personal information, if any, may have been compromised. CMS continues to investigate this incident and will continue to take all appropriate measures to protect the information entrusted to CMS.”

In October, Healthcare Management Solutions reported that it had been targeted by a ransomware attack on the company’s systems, according to a CMS News statement.

“On October 9, 2022, CMS was notified that the subcontractor’s systems had experienced a cyber security incident but that CMS systems were not involved,” the agency said. As more information became available, on October 18, 2022, CMS determined with high confidence that the incident likely involved personally identifiable information and protected health information for some Medicare enrollees. Since then, CMS has been working diligently with the contractor to identify information and individuals that may have been lost. affected.”

CMS said free credit monitoring services are also being offered to affected Medicare beneficiaries. The messages sent to affected people include steps on how to register.

data breaches

During the first half of this year, about 53 million people in the United States were affected by data breaches, according to data site Statista. And I found that many of those shores included manufacturing, financial services, and healthcare.

A report released late last year found that global ransomware attacks increased 151 percent in the first half of 2021 compared to 2020, and hackers are set to become more aggressive.

Citing the attacks on North American health facilities and a US pipeline, the Canadian Telecommunications Security Corporation (CSE) said the size and scope of ransomware operators posed security and economic risks to Canada and its allies. He was referring to the ransomware attack that brought down the Colonial Pipeline that distributes petroleum products across the United States for about a week in May 2021.

“Rsomware operators are likely to become more aggressive in their targeting, including against critical infrastructure,” the report said. “It is likely that ransom payments will balance out the market, as cybercriminals become better at tailoring their demands to what their victims are likely to pay,” the CSE added.

The report also found that actors in China, Iran and Russia posed the most significant threat.

Reuters contributed to this report.