Personal data of 254K Medicare beneficiaries at risk after breach

PROMO 64J1 Technology - Cyber Crime Handcuffs Money Computer Keyboard - iStock - turk_stock_photographer
Published Wednesday, March 22, 2023
by Casey Harper

(The Center Square) - Hundreds of thousands of Americans' personal information is at risk after Medicare's data was breached. Now, lawmakers want answers.

House Committee on Oversight and Accountability Chairman James Comer, R-Ky., and House Committee on Energy and Commerce Chair Cathy McMorris Rodgers, R-Wash., sent a letter demanding a range of documents and communications from the Centers for Medicare & Medicaid Services.

Lawmakers said that in October of last year Healthcare Management Solutions, a subcontractor to ASRC Federal Data Solutions, which works for CMS, suffered a ransomware attack. CMS "determined with high confidence that the incident potentially included personally identifiable information and protected health information for some Medicare enrollees."

"However, it was not until December 1, 2022, that CMS made the determination that the data breach constituted a 'major incident,' as defined in the Federal Information Security Modernization Act of 2014," the letter said.

Lawmakers blasted CMS, saying they dragged their feet in response to the hack.

"In other words, bad actors had access to Medicare beneficiaries' information for two months before CMS determined this ransomware attack was a 'major incident,' triggering a legal obligation to inform Congress of such incident," the letter said. "The compromised information potentially includes the following personally identifiable information (PII) and protected health information (PHI): name, address, date of birth, phone number, Social Security Number, Medicare beneficiary identifier, banking information, including routing and account numbers, and Medicare entitlement, enrollment, and premium information."

CMS said in December it was sending a letter to notify those affected and investigating the matter.

"The safeguarding and security of beneficiary information is of the utmost importance to this Agency," said CMS Administrator Chiquita Brooks-LaSure. "We continue to assess the impact of the breach involving the subcontractor, facilitate support to individuals potentially affected by the incident, and will take all necessary actions needed to safeguard the information entrusted to CMS."

Here's an excerpt from that letter:

After careful review, we have determined that your personal and Medicare information may have been compromised. This information may have included the following:

  • Name
  • Address
  • Date of Birth
  • Phone Number
  • Social Security Number
  • Medicare Beneficiary Identifier
  • Banking information, including routing and account numbers
  • Medicare Entitlement, Enrollment, and Premium Information.

No claims data were involved in this incident.

This isn't the only time Americans' data has been mishandled by the federal government in recent years. Lawmakers are still pressuring the Internal Revenue Service for answers after it leaked the tax information of thousands of Americans to a nonprofit journalism group.

Lawmakers are investigating that leak but so far have gotten few answers. may earn an affiliate commission if you purchase products or services through links in an article. Prices, when displayed, are accurate at the time of publication but may change over time. Commissions do not influence editorial independence.

The Kiowa County Press is an independent newspaper published in Eads, Kiowa County, Colorado, and to the world at