The Centers for Medicare & Medicaid Services (CMS) is responding to a data breach at Healthcare Management Solutions, LLC (HMS) – a subcontractor to CMS – that may have exposed personally identifiable information of up to 254,000 Medicare beneficiaries.
In a press release, CMS said the subcontractor was subject to a ransomware attack on its corporate network on Oct. 8, 2022. However, no CMS systems were breached and no Medicare claims data were involved.
“The safeguarding and security of beneficiary information is of the utmost importance to this agency,” said CMS Administrator Chiquita Brooks-LaSure. “We continue to assess the impact of the breach involving the subcontractor, facilitate support to individuals potentially affected by the incident, and will take all necessary actions needed to safeguard the information entrusted to CMS.”
Out of an abundance of caution, CMS is mailing a letter this week to beneficiaries that have been potentially impacted to notify them of the breach. Additionally, CMS said it will provide them with an updated Medicare card with a new Medicare Beneficiary Identifier and free credit monitoring services.
A draft of the letter says that HMS acted in violation of its obligations to CMS, and that the agency will continue to investigate the incident. HMS is a subcontractor of ASRC Federal Data Solutions, LLC (ASRC Federal).
“The services provided to CMS under the contract with ASRC Federal include resolving system errors related to Medicare beneficiary entitlement and premium payment records,” CMS said. “The contractors’ services also support the collection of Medicare premiums from the direct-paying beneficiary population. The contractor does not handle Medicare claims information.”
CMS said it is not aware at this time of any reports of identity fraud or improper use of customer information as a direct result of the incident.
“In October 2022, Healthcare Management Solutions, LLC (HMS) experienced a cybersecurity incident involving unauthorized access to our network which impacted limited systems,” HMS said in a statement to MeriTalk. “HMS acted swiftly to take the network offline in order to contain the incident. Industry-leading external cybersecurity experts were engaged to launch an investigation into the incident, which remains ongoing.”
“Patient privacy has always been our top priority, and we have steadfastly maintained our obligation to patients and to any agency or contractor with which we have worked,” HMS added. “We regret any concern this incident may have caused our community and will notify impacted individuals pursuant to legal and contractual obligations.”