As many as 254,000 Medicare beneficiaries receive new ID cards due to a data breach at a subcontractor. What they need to know

Officials warned this week that up to 254,000 personal information of Medicare beneficiaries could have been compromised in an online ransomware attack on a government subcontractor.

The Centers for Medicare and Medicaid Services said the messages are being sent to recipients affected by the potential data breach. Those affected — who represent less than 0.4% of the 64.5 million Medicare beneficiaries — will receive a replacement Medicare card with a new identification number in the next few weeks.

“The protection and security of beneficiary information is of the utmost importance to this agency,” said CMS Director Chiquita Brooks-LaSure in the announcement.

More personal finance:
Used car prices are down 3.3% from last year
63% of Americans live paycheck to paycheck
How health insurance helps calm inflation

“We continue to assess the impact of the breach involving the subcontractor, facilitate support for individuals potentially affected by the incident, and will take all necessary measures to protect the information entrusted to CMS,” said Brooks-LaSure.

Personal information that could have been compromised includes name, address, date of birth, phone number, Social Security number, Medicare beneficiary ID, banking information (including routing and account numbers), Medicare entitlement, enrollment, and premium information.

Free credit monitoring is also offered to affected individuals; The messages that are sent include information on how to subscribe to the service.

According to the announcement, no CMS systems were hacked, and no Medicare claims data was included. The agency is also not aware of any reports of identity fraud or improper use of personal information as a direct result of the incident.

The subcontractor, Healthcare Management Solutions, suffered a ransomware attack on the company’s network on Oct. 8, according to CMS. The company handles agency data as part of processing Medicare eligibility and eligibility records, as well as premium payments.

CMS was alerted the day after the attack, and on Oct. 18, officials determined “with high confidence that the incident likely involved protected personal and health information of some Medicare enrollees,” according to the CMS release.

For its part, Healthcare Management Solutions told CNBC that it acted quickly to shut down its network in order to contain the cyber security incident and the investigation is still ongoing. In a statement, the company said it also regrets “any concern that this incident may have caused our community and will notify affected individuals in accordance with legal and contractual obligations.”

In the first half of 2022, more than 53 million individuals in the United States were affected by a data breach, according to Statista. In 2021, the three hardest hit industries are healthcare, financial services, and manufacturing.