An official website of the United States government
Here’s how you know
The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.
The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.
Share
CMS Notifying Potentially Involved Beneficiaries and Providing Information on Free Credit Monitoring
The Centers for Medicare & Medicaid Services (CMS) is responding to a data breach at Healthcare Management Solutions, LLC (HMS), a subcontractor of ASRC Federal Data Solutions, LLC (ASRC Federal), that may involve Medicare beneficiaries’ personally identifiable information (PII) and/or protected health information (PHI). No CMS systems were breached and no Medicare claims data were involved. Initial information indicates that HMS acted in violation of its obligations to CMS and that the incident involving HMS has the potential to impact up to 254,000 Medicare beneficiaries’ personally identifiable information out of the over 64 million beneficiaries that CMS serves. This week, CMS is mailing beneficiaries that have been potentially impacted a letter from CMS notifying them directly of the breach. A copy of that letter can be found below.
“The safeguarding and security of beneficiary information is of the utmost importance to this Agency,” said CMS Administrator Chiquita Brooks-LaSure. “We continue to assess the impact of the breach involving the subcontractor, facilitate support to individuals potentially affected by the incident, and will take all necessary actions needed to safeguard the information entrusted to CMS.”
The services provided to CMS under the contract with ASRC Federal include resolving system errors related to Medicare beneficiary entitlement and premium payment records. The contractors’ services also support the collection of Medicare premiums from the direct-paying beneficiary population. The contractor does not handle Medicare claims information.
CMS is notifying Medicare beneficiaries whose PII and/or PHI may have been put at risk as a result of the breach that they will receive an updated Medicare card with a new Medicare Beneficiary Identifier, be offered free-of-charge credit monitoring services, and will provide additional information about the incident.
Sample letter to potentially affected beneficiaries:
[CMS LOGO]
Dear <<BENEFICIARY>>
We are writing to inform you of a potential privacy incident involving your personal information related to Medicare entitlement and premium payment records. The Centers for Medicare & Medicaid Services (CMS), the federal agency that manages the Medicare program, is sending you this letter so that you can understand more about this incident, how we are addressing it, and additional steps you can take to protect your privacy. We will issue you a new Medicare card with a new Medicare Number and have provided information with this notice on free credit monitoring services. This does not impact your Medicare benefits or coverage.
What Happened?
On October 8, 2022, Healthcare Management Solutions (HMS), LLC, a CMS subcontractor, was subject to a ransomware attack on its corporate network. HMS handles CMS data as part of processing Medicare eligibility and entitlement records, in addition to premium payments. Initial information indicates that HMS acted in violation of its obligations to CMS, and CMS continues to investigate the incident. No CMS systems were breached, and no Medicare claims data were involved. On October 9, 2022, CMS was notified that the subcontractor’s systems had been subject to a cybersecurity incident but CMS systems were not involved. As more information became available, on October 18, 2022, CMS determined with high confidence that the incident potentially included personally identifiable information and protected health information for some Medicare enrollees. Since then, CMS has been working diligently with the contractor to determine what information and which individuals may have been impacted.
What Information Was Involved?
After careful review, we have determined that your personal and Medicare information may have been compromised. This information may have included the following:
No claims data were involved in this incident.
What We Are Doing
When the incident was reported, we immediately started an investigation, working with the contractor and cybersecurity experts to identify what personal information, if any, might have been compromised. CMS is continuing to investigate this incident and will continue to take all appropriate actions to safeguard the information entrusted to CMS.
What You Can Do
At this time, we’re not aware of any reports of identity fraud or improper use of your information as a direct result of this incident. However, out of an abundance of caution we are issuing you a new Medicare card with a new number. CMS will mail the new card to your address in the coming weeks. In the meantime, you can continue to use your existing Medicare card. After you get your new card, you should:
1. Follow the instructions in the letter that comes with your new card.
2. Destroy your old Medicare card.
3. Inform your providers that you have a new Medicare Number.
While we continue to investigate what, if any, banking information may have been compromised, if you have concerns, please contact your financial institution and let them know your banking information may have been compromised. Additionally, you can enroll in free Equifax Complete Premier credit monitoring service. You do not need to use your credit card to enroll in the service. To activate your free credit monitoring:
For questions about the credit monitoring service or to enroll in Equifax Complete Premier over the phone, please call Equifax’s customer care team by (insert date) at <<xxx-xxx-xxxx>>.
We have enclosed additional information about other steps you can take to further protect your privacy.
For More Information
We take the privacy and security of your personal information very seriously. We apologize for the inconvenience this privacy incident has caused.
If you have any further questions regarding this incident, please call the Equifax dedicated and confidential toll-free response line at <<xxx.xxx.xxxx>>. This response line is staffed with professionals familiar with this incident who know what you can do to protect against misuse of your information. The response line is available Monday through Friday, <<X>>am to <<X>>pm Eastern. You can also call 1-800-MEDICARE (1-800-633-4227) with any general questions or concerns about Medicare.
###
CMS News and Media Group
Catherine Howden, Director
Media Inquiries Form
202-690-6145
Sign up to get the latest information about your choice of CMS topics in your inbox. Also, you can decide how often you want to get updates.
A federal government website managed and paid for by the U.S. Centers for Medicare & Medicaid Services.
7500 Security Boulevard, Baltimore, MD 21244
Leave a Reply