Data breaches have become all too common in today’s digital landscape. Unfortunately, the healthcare industry is not immune to these threats. A recent breach at Healthcare Management Solutions, LLC (HMS), a subcontractor of ASRC Federal Data Solutions, LLC (ASRC Federal), has raised concerns about the security of Medicare beneficiaries’ personally identifiable information (PII) and protected health information (PHI).
CMS, the Centers for Medicare & Medicaid Services, is taking swift action to address the breach and ensure the affected individuals are notified and provided with the necessary support. While no CMS systems were breached and no Medicare claims data were involved, as many as 254,000 Medicare beneficiaries may have had their personally identifiable information compromised.
Taking Responsibility and Ensuring Security
“The safeguarding and security of beneficiary information is of the utmost importance to this Agency,” said CMS Administrator Chiquita Brooks-LaSure. CMS is committed to upholding the highest standards of protection for individuals’ sensitive data. In response to this breach, CMS is taking several proactive measures to mitigate the potential impact on affected beneficiaries.
The Role of Subcontractors
HMS is a subcontractor responsible for resolving system errors related to Medicare beneficiary entitlement and premium payment records. While they handle CMS data, including personal information, they do not have access to Medicare claims information. This breach highlights the importance of rigorous oversight and adherence to security protocols by all entities involved in the handling of sensitive data.
What Affected Beneficiaries Need to Know
CMS is in the process of notifying Medicare beneficiaries who may have been affected by the breach. Each individual will receive a personalized letter directly from CMS, explaining the incident and the steps that will be taken to protect their privacy. As part of the response to this breach, beneficiaries will receive an updated Medicare card with a new Medicare Beneficiary Identifier. CMS is also offering free credit monitoring services to affected individuals.
Understanding the Breach
On October 8, 2022, HMS experienced a ransomware attack on its corporate network. Initial investigations suggest that HMS failed to fulfill its obligations to CMS, leading to this breach. While CMS systems were not compromised, personal information and protected health information of some Medicare enrollees were potentially exposed. The data that may have been compromised includes names, addresses, dates of birth, phone numbers, social security numbers, Medicare beneficiary identifiers, banking information, and Medicare entitlement, enrollment, and premium information. It’s important to note that no claims data were involved in this incident.
CMS’s Response and Your Role
CMS acted swiftly upon learning of the breach, initiating an investigation in collaboration with the contractor and cybersecurity experts. One of the immediate actions CMS is taking is providing affected beneficiaries with new Medicare cards and instructions on how to activate them. In the meantime, beneficiaries can continue using their existing Medicare cards. To further protect their privacy, beneficiaries are encouraged to destroy their old Medicare cards and inform their providers about their new Medicare numbers.
While CMS continues to investigate the extent of the compromised banking information, individuals are advised to contact their financial institutions if they have any concerns. Additionally, affected beneficiaries can enroll in Equifax Complete Premier credit monitoring service, free of charge. Instructions for enrolling can be found in the attached insert or by visiting Management.
Next Steps and Additional Support
CMS is dedicated to addressing this breach and ensuring that affected beneficiaries have all the necessary support to safeguard their information. Further information on steps individuals can take to protect their privacy is enclosed in the letter. If beneficiaries have any questions or concerns about the breach, they can contact the Equifax dedicated and confidential toll-free response line or call 1-800-MEDICARE for general inquiries.
Protecting sensitive data is a shared responsibility, and CMS remains committed to upholding the highest standards of security and privacy for Medicare beneficiaries.