103K Medicare beneficiaries issued new IDs after ‘data incident’ at CMS
More than 100,000 people on Medicare will need a new ID number after a “data incident” at the Centers for Medicare & Medicaid Services led to “malicious actors” creating accounts for would-be beneficiaries, without their knowledge or consent.
The agency announced on Monday that it had begun notifying the approximately 103,000 people linked to suspicious account activity. It also said it’s deactivating the illegitimate accounts, as it works with a third party to investigate the situation.
For now, the details—including what data was compromised and precisely how—remain unknown. CMS did confirm that once these fake accounts were created, the criminals were able to pull certain patient records from Medicare databases, including provider information, details on medical diagnoses, health plan details, and the mailing addresses of patients.
However, the incident is not being called a data breach, as the details are complicated. The identity thieves would have needed personal information on patients to have created the accounts. CMS said that data was “obtained from unknown external sources,” possibly a data breach on a provider or payer, as troves from those events are often posted for sale on the dark web.
In addition to coverage start and end dates, dates of birth, names and zip codes, the malicious actors creating accounts through the Medicare portal would also have needed the ID numbers linked to patients—which is why CMS is issuing new ones.
Foreign identity thieves suspected
As for who is responsible, those details are being investigated. However, CMS said it’s also blocked foreign IPs from creating new accounts as a precaution, and it’s monitoring claims activity for any signs of suspicious activity. For now, there is no evidence the fake accounts and stolen data have been used to commit other acts of identity fraud, the agency confirmed.
CMS asked all Medicare beneficiaries to monitor their own records for signs of anything unusual, particularly on credit reports. Any sign of criminal activity should be reported to law enforcement.
The full announcement from CMS is available here.
Chad is an award-winning writer and editor with over 15 years of experience working in media. He has a decade-long professional background in healthcare, working as a writer and in public relations.