CMS Responding to Data Breach at Subcontractor
CMS Notifying Potentially Involved Beneficiaries and Providing Information on Free Credit Monitoring
The Centers for Medicare & Medicaid Services (CMS) is responding to a data breach at Healthcare Management Solutions, LLC (HMS), a subcontractor of ASRC Federal Data Solutions, LLC (ASRC Federal), that may involve Medicare beneficiaries’ personally identifiable information (PII) and/or protected health information (PHI). No CMS systems were breached and no Medicare claims data were involved. Initial information indicates that HMS acted in violation of its obligations to CMS and that the incident involving HMS has the potential to impact up to 254,000 Medicare beneficiaries’ personally identifiable information out of the over 64 million beneficiaries that CMS serves. This week, CMS is mailing beneficiaries that have been potentially impacted a letter from CMS notifying them directly of the breach. A copy of that letter can be found below.
“The safeguarding and security of beneficiary information is of the utmost importance to this Agency,” said CMS Administrator Chiquita Brooks-LaSure. “We continue to assess the impact of the breach involving the subcontractor, facilitate support to individuals potentially affected by the incident, and will take all necessary actions needed to safeguard the information entrusted to CMS.”
The services provided to CMS under the contract with ASRC Federal include resolving system errors related to Medicare beneficiary entitlement and premium payment records. The contractors’ services also support the collection of Medicare premiums from the direct-paying beneficiary population. The contractor does not handle Medicare claims information.
CMS is notifying Medicare beneficiaries whose PII and/or PHI may have been put at risk as a result of the breach that they will receive an updated Medicare card with a new Medicare Beneficiary Identifier, be offered free-of-charge credit monitoring services, and will provide additional information about the incident.
Sample letter to potentially affected beneficiaries:
We are writing to inform you of a potential privacy incident involving your personal information related to Medicare entitlement and premium payment records. The Centers for Medicare & Medicaid Services (CMS), the federal agency that manages the Medicare program, is sending you this letter so that you can understand more about this incident, how we are addressing it, and additional steps you can take to protect your privacy. We will issue you a new Medicare card with a new Medicare Number and have provided information with this notice on free credit monitoring services. This does not impact your Medicare benefits or coverage.
On October 8, 2022, Healthcare Management Solutions (HMS), LLC, a CMS subcontractor, was subject to a ransomware attack on its corporate network. HMS handles CMS data as part of processing Medicare eligibility and entitlement records, in addition to premium payments. Initial information indicates that HMS acted in violation of its obligations to CMS, and CMS continues to investigate the incident. No CMS systems were breached, and no Medicare claims data were involved. On October 9, 2022, CMS was notified that the subcontractor’s systems had been subject to a cybersecurity incident but CMS systems were not involved. As more information became available, on October 18, 2022, CMS determined with high confidence that the incident potentially included personally identifiable information and protected health information for some Medicare enrollees. Since then, CMS has been working diligently with the contractor to determine what information and which individuals may have been impacted.
What Information Was Involved?
After careful review, we have determined that your personal and Medicare information may have been compromised. This information may have included the following:
- Date of Birth
- Phone Number
- Social Security Number
- Medicare Beneficiary Identifier
- Banking information, including routing and account numbers
- Medicare Entitlement, Enrollment, and Premium Information.
No claims data were involved in this incident.
What We Are Doing
When the incident was reported, we immediately started an investigation, working with the contractor and cybersecurity experts to identify what personal information, if any, might have been compromised. CMS is continuing to investigate this incident and will continue to take all appropriate actions to safeguard the information entrusted to CMS.
What You Can Do
At this time, we’re not aware of any reports of identity fraud or improper use of your information as a direct result of this incident. However, out of an abundance of caution we are issuing you a new Medicare card with a new number. CMS will mail the new card to your address in the coming weeks. In the meantime, you can continue to use your existing Medicare card. After you get your new card, you should:
1. Follow the instructions in the letter that comes with your new card.
2. Destroy your old Medicare card.
3. Inform your providers that you have a new Medicare Number.
While we continue to investigate what, if any, banking information may have been compromised, if you have concerns, please contact your financial institution and let them know your banking information may have been compromised. Additionally, you can enroll in free Equifax Complete Premier credit monitoring service. You do not need to use your credit card to enroll in the service. To activate your free credit monitoring:
- Please review the attached insert with instructions
- You can enroll online or by calling (xxx xxx xxxx)
- Enroll by (insert date). Your code will not work after this date
- Visit the Equifax website to enroll at: www.equifax.com/activate
For questions about the credit monitoring service or to enroll in Equifax Complete Premier over the phone, please call Equifax’s customer care team by (insert date) at <<xxx-xxx-xxxx>>.
We have enclosed additional information about other steps you can take to further protect your privacy.
For More Information
We take the privacy and security of your personal information very seriously. We apologize for the inconvenience this privacy incident has caused.
If you have any further questions regarding this incident, please call the Equifax dedicated and confidential toll-free response line at <<xxx.xxx.xxxx>>. This response line is staffed with professionals familiar with this incident who know what you can do to protect against misuse of your information. The response line is available Monday through Friday, <<X>>am to <<X>>pm Eastern. You can also call 1-800-MEDICARE (1-800-633-4227) with any general questions or concerns about Medicare.