CMS Notifies Medicare Beneficiaries of Data Breach

Dec. 15, 2022
On Dec. 14, CMS posted a press release responding to a data breach at Healthcare Management Solutions, a subcontractor of ASRC Federal Data Solutions, LLC, that may have involved Medicare beneficiaries’ PHI

According to a Dec. 14 press release, the Centers for Medicare & Medicaid Services (CMS) is responding to a data breach at Healthcare Management Solutions, LLC (HMS), a subcontractor of ASRC Federal Data Solutions, LLC (ASRC Federal), that possibly involves Medicare beneficiaries’ personally identifiable information (PII) and/or protected health information (PHI).

The press release says that “No CMS systems were breached and no Medicare claims data were involved. Initial information indicates that HMS acted in violation of its obligations to CMS and that the incident involving HMS has the potential to impact up to 254,000 Medicare beneficiaries’ personally identifiable information out of the over 64 million beneficiaries that CMS serves. This week, CMS is mailing beneficiaries that have been potentially impacted a letter from CMS notifying them directly of the breach.”

The letter, which is posted in full in the press release, states that “On October 8, 2022, Healthcare Management Solutions (HMS), LLC, a CMS subcontractor, was subject to a ransomware attack on its corporate network. HMS handles CMS data as part of processing Medicare eligibility and entitlement records, in addition to premium payments. Initial information indicates that HMS acted in violation of its obligations to CMS, and CMS continues to investigate the incident. No CMS systems were breached, and no Medicare claims data were involved. On October 9, 2022, CMS was notified that the subcontractor’s systems had been subject to a cybersecurity incident but CMS systems were not involved. As more information became available, on October 18, 2022, CMS determined with high confidence that the incident potentially included personally identifiable information and protected health information for some Medicare enrollees. Since then, CMS has been working diligently with the contractor to determine what information and which individuals may have been impacted.”

The letter notes that personal and Medicare information that may have been compromised includes: name, address, date of birth, phone number, Social Security Number, Medicare Beneficiary Identifier, banking information (including routing and account numbers), and Medicare entitlement, enrollment, and premium information. The letter says that no claims data were involved in this incident.

CMS says that when the incident was reported an investigation with the contractor and cybersecurity experts began immediately. The investigation is ongoing.

“The services provided to CMS under the contract with ASRC Federal include resolving system errors related to Medicare beneficiary entitlement and premium payment records,” the press release notes. “The contractors’ services also support the collection of Medicare premiums from the direct-paying beneficiary population. The contractor does not handle Medicare claims information.”

Sponsored Recommendations

Northeast Georgia Health System: Scaling Digital Transformation in a Competitive Market

Find out how Northeast Georgia Health System (NGHS) enabled digital access to achieve new patient acquisition goals in Georgia's highly competitive healthcare market.

2023 Care Access Benchmark Report for Healthcare Organizations

To manage growing consumer expectations and shrinking staff resources, forward-thinking healthcare organizations have adopted digital strategies, but recent research shows that...

Increase ROI Through AI: Unlocking Scarce Capacity & Staffing

Unlock the potential of AI to optimize capacity and staffing in healthcare. Join us on February 27th to discover how innovative AI-driven solutions can revolutionize operations...

Boosting Marketing Efficiency: A Community Healthcare Provider’s Success Story

Explore the transformative impact of data-driven insights on Baptist Health's marketing strategies. Dive into this comprehensive case study to uncover the value of leveraging ...