Data breach may have exposed Medicare patient data

The Centers for Medicare and Medicaid Services (CMS) announced it is responding to a data breach at Healthcare Management Solutions, a subcontractor of ASRC Federal Data Solutions. The breach may involve Medicare beneficiaries’ personally identifiable information (PII) and/or protected health information (PHI). 

CMS contracts with ASRC Federal to system errors related to Medicare beneficiary entitlement and premium payment records. The contractors also support Medicare premium collections from the direct-paying beneficiary population, though the contractor does not handle Medicare claims information.

According to the agency, no CMS systems were breached nor were any Medicare claims data involved. However, the breach may affect up to 254,000 Medicare beneficiaries’ PII. CMS noted that initial information shows HMS acted in violations of its obligations to CMS, which serves more than 64 million beneficiaries.

“The safeguarding and security of beneficiary information is of the utmost importance to this Agency,” CMS Administrator Chiquita Brooks-LaSure said in a statement. “We continue to assess the impact of the breach involving the subcontractor, facilitate support to individuals potentially affected by the incident, and will take all necessary actions needed to safeguard the information entrusted to CMS.”

The data breach comes after CMS recently warned the healthcare industry about a new ransomware threat, Royal. Healthcare data breaches have become increasingly costly to healthcare providers, costing an average of $10 million per breach, according to one recent study.

CMS said it is notifying beneficiaries who may be affected that their information may have been breached. The agency is also sending updated Medicare cards with a new Medicare Beneficiary Identifier. In addition, they will be offered free-of-charge credit monitoring services, and CMS will provide additional information about the incident. CMS instructed beneficiaries to destroy their old Medicare card and inform providers of their new number.

The agency said it immediately started an investigation when it found out about the data breach and worked with the contractor and cybersecurity experts to identify what personal information, if any, might have been compromised. 

“CMS is continuing to investigate this incident and will continue to take all appropriate actions to safeguard the information entrusted to CMS,” the agency said.

Amy Baxter

Amy joined TriMed Media as a Senior Writer for HealthExec after covering home care for three years. When not writing about all things healthcare, she fulfills her lifelong dream of becoming a pirate by sailing in regattas and enjoying rum. Fun fact: she sailed 333 miles across Lake Michigan in the Chicago Yacht Club "Race to Mackinac."

Around the web

The tirzepatide shortage that first began in 2022 has been resolved. Drug companies distributing compounded versions of the popular drug now have two to three more months to distribute their remaining supply.

The 24 members of the House Task Force on AI—12 reps from each party—have posted a 253-page report detailing their bipartisan vision for encouraging innovation while minimizing risks. 

Merck sent Hansoh Pharma, a Chinese biopharmaceutical company, an upfront payment of $112 million to license a new investigational GLP-1 receptor agonist. There could be many more payments to come if certain milestones are met.