CMS Notifies Medicare Beneficiaries of Data Breach

Dec. 15, 2022
On Dec. 14, CMS posted a press release responding to a data breach at Healthcare Management Solutions, a subcontractor of ASRC Federal Data Solutions, LLC, that may have involved Medicare beneficiaries’ PHI

According to a Dec. 14 press release, the Centers for Medicare & Medicaid Services (CMS) is responding to a data breach at Healthcare Management Solutions, LLC (HMS), a subcontractor of ASRC Federal Data Solutions, LLC (ASRC Federal), that possibly involves Medicare beneficiaries’ personally identifiable information (PII) and/or protected health information (PHI).

The press release says that “No CMS systems were breached and no Medicare claims data were involved. Initial information indicates that HMS acted in violation of its obligations to CMS and that the incident involving HMS has the potential to impact up to 254,000 Medicare beneficiaries’ personally identifiable information out of the over 64 million beneficiaries that CMS serves. This week, CMS is mailing beneficiaries that have been potentially impacted a letter from CMS notifying them directly of the breach.”

The letter, which is posted in full in the press release, states that “On October 8, 2022, Healthcare Management Solutions (HMS), LLC, a CMS subcontractor, was subject to a ransomware attack on its corporate network. HMS handles CMS data as part of processing Medicare eligibility and entitlement records, in addition to premium payments. Initial information indicates that HMS acted in violation of its obligations to CMS, and CMS continues to investigate the incident. No CMS systems were breached, and no Medicare claims data were involved. On October 9, 2022, CMS was notified that the subcontractor’s systems had been subject to a cybersecurity incident but CMS systems were not involved. As more information became available, on October 18, 2022, CMS determined with high confidence that the incident potentially included personally identifiable information and protected health information for some Medicare enrollees. Since then, CMS has been working diligently with the contractor to determine what information and which individuals may have been impacted.”

The letter notes that personal and Medicare information that may have been compromised includes: name, address, date of birth, phone number, Social Security Number, Medicare Beneficiary Identifier, banking information (including routing and account numbers), and Medicare entitlement, enrollment, and premium information. The letter says that no claims data were involved in this incident.

CMS says that when the incident was reported an investigation with the contractor and cybersecurity experts began immediately. The investigation is ongoing.

“The services provided to CMS under the contract with ASRC Federal include resolving system errors related to Medicare beneficiary entitlement and premium payment records,” the press release notes. “The contractors’ services also support the collection of Medicare premiums from the direct-paying beneficiary population. The contractor does not handle Medicare claims information.”

Sponsored Recommendations

How Digital Co-Pilots for patients help navigate care journeys to lower costs, increase profits, and improve patient outcomes

Discover how digital care journey platforms act as 'co-pilots' for patients, improving outcomes and reducing costs, while boosting profitability and patient satisfaction in this...

5 Strategies to Enhance Population Health with the ACG System

Explore five key ACG System features designed to amplify your population health program. Learn how to apply insights for targeted, effective care, improve overall health outcomes...

A 4-step plan for denial prevention

Denial prevention is a top priority in today’s revenue cycle. It’s also one area where most organizations fall behind. The good news? The technology and tactics to prevent denials...

Healthcare Industry Predictions 2024 and Beyond

The next five years are all about mastering generative AI — is the healthcare industry ready?