Data breach may have exposed Medicare patient data

The Centers for Medicare and Medicaid Services (CMS) announced it is responding to a data breach at Healthcare Management Solutions, a subcontractor of ASRC Federal Data Solutions. The breach may involve Medicare beneficiaries’ personally identifiable information (PII) and/or protected health information (PHI). 

CMS contracts with ASRC Federal to system errors related to Medicare beneficiary entitlement and premium payment records. The contractors also support Medicare premium collections from the direct-paying beneficiary population, though the contractor does not handle Medicare claims information.

According to the agency, no CMS systems were breached nor were any Medicare claims data involved. However, the breach may affect up to 254,000 Medicare beneficiaries’ PII. CMS noted that initial information shows HMS acted in violations of its obligations to CMS, which serves more than 64 million beneficiaries.

“The safeguarding and security of beneficiary information is of the utmost importance to this Agency,” CMS Administrator Chiquita Brooks-LaSure said in a statement. “We continue to assess the impact of the breach involving the subcontractor, facilitate support to individuals potentially affected by the incident, and will take all necessary actions needed to safeguard the information entrusted to CMS.”

The data breach comes after CMS recently warned the healthcare industry about a new ransomware threat, Royal. Healthcare data breaches have become increasingly costly to healthcare providers, costing an average of $10 million per breach, according to one recent study.

CMS said it is notifying beneficiaries who may be affected that their information may have been breached. The agency is also sending updated Medicare cards with a new Medicare Beneficiary Identifier. In addition, they will be offered free-of-charge credit monitoring services, and CMS will provide additional information about the incident. CMS instructed beneficiaries to destroy their old Medicare card and inform providers of their new number.

The agency said it immediately started an investigation when it found out about the data breach and worked with the contractor and cybersecurity experts to identify what personal information, if any, might have been compromised. 

“CMS is continuing to investigate this incident and will continue to take all appropriate actions to safeguard the information entrusted to CMS,” the agency said.

Amy Baxter

Amy joined TriMed Media as a Senior Writer for HealthExec after covering home care for three years. When not writing about all things healthcare, she fulfills her lifelong dream of becoming a pirate by sailing in regattas and enjoying rum. Fun fact: she sailed 333 miles across Lake Michigan in the Chicago Yacht Club "Race to Mackinac."

Around the web

When drugs are on the FDA’s shortage list, outsourcing facilities can produce their own compounded versions. When the FDA removed tirzepatide from that list with no warning, it created a considerable amount of chaos both behind the scenes and in pharmacies all over the country. 

If passed, this bill would help clinician-led clinical registries explore Medicare data for research purposes. The Society of Thoracic Surgeons and American College of Cardiology both shared public support for the bipartisan legislation. 

Cardiologists and other physicians may soon need to provide much more information when ordering remote patient monitoring for Medicare patients.

Trimed Popup
Trimed Popup