CMS Responds to Third-Party Data Breach Impacting 254K Medicare Beneficiaries

December 15, 2022 - UPDATE 12/16/2022 - This article has been updated to include a statement from Healthcare Management Solutions. 

A third-party data breach potentially impacted the protected health information (PHI) and personally identifiable information (PII) of 254,000 Medicare beneficiaries, the Centers for Medicare & Medicaid Services (CMS) announced. No Medicare claims data were involved, and no CMS systems were breached during the incident.

On October 8, Healthcare Management Solutions (HMS) discovered that it was subject to a ransomware attack on its corporate network. HMS is a subcontractor of ASRC Federal Data Solutions.

CMS uses ASRC Federal Data Solutions and HMS to resolve system errors related to beneficiary entitlement and premium payment records. HMS also supports the collection of Medicare premium payments, but it does not handle Medicare claims information directly.

“Initial information indicates that HMS acted in violation of its obligations to CMS and that the incident involving HMS has the potential to impact up to 254,000 Medicare beneficiaries’ personally identifiable information out of the over 64 million beneficiaries that CMS serves,” CMS stated.

On October 9, CMS was notified that the subcontractor had suffered a cybersecurity incident but was told that its systems were not involved. Later that month, CMS “determined with high confidence” that the incident may have included the PII and PHI of some of its beneficiaries.

The information involved in the ransomware attack potentially included names, addresses, phone numbers, Social Security numbers, Medicare Beneficiary identifiers, banking information, dates of birth, and Medicare entitlement, enrollment, and premium information.

“The safeguarding and security of beneficiary information is of the utmost importance to this Agency,” CMS Administrator Chiquita Brooks-LaSure said in a press release.

“We continue to assess the impact of the breach involving the subcontractor, facilitate support to individuals potentially affected by the incident, and will take all necessary actions needed to safeguard the information entrusted to CMS.”

CMS is in the process of mailing new Medicare cards with new numbers to impacted individuals.

"In October 2022, Healthcare Management Solutions, LLC (HMS) experienced a cybersecurity incident involving unauthorized access to our network which impacted limited systems. HMS acted swiftly to take the network offline in order to contain the incident. Industry-leading external cybersecurity experts were engaged to launch an investigation into the incident, which remains ongoing," HMS said in a statement provided to HealthITSecurity.

"Patient privacy has always been our top priority, and we have steadfastly maintained our obligation to patients and to any agency or contractor with which we have worked. We regret any concern this incident may have caused our community and will notify impacted individuals pursuant to legal and contractual obligations."