CMS Subcontractor Breach Potentially Exposes Sensitive Data of 254,000 Customers

athima tongloom/Getty Images

The Centers for Medicare and Medicaid said the breach involved a subcontractor that appears to have violated its obligations to the agency.

Personal data including bank routing and account information for 254,000 individuals may have been exposed during a ransomware attack on an agency subcontractor, according to the Centers for Medicare and Medicaid.

The subcontractor—Healthcare Management Solutions LLC (HMS)—is operating under a contract with ASRC Federal Data Solutions LLC to resolve “system errors related to Medicare beneficiary entitlement and premium payment records,” and “support the collection of Medicare premiums from the direct-paying beneficiary population,” CMS said in a press release Wednesday. 

“The safeguarding and security of beneficiary information is of the utmost importance to this agency,” CMS Administrator Chiquita Brooks-LaSure said in the press release. “We continue to assess the impact of the breach involving the subcontractor, facilitate support to individuals potentially affected by the incident, and will take all necessary actions needed to safeguard the information entrusted to CMS.”

The attack occurred on Oct. 8, according to a sample letter CMS said it is sending to the potentially affected beneficiaries “this week.” The next day, CMS said it “was notified that the subcontractor’s systems had been subject to a cybersecurity incident but CMS systems were not involved,” according to the letter, which adds CMS later determined—on Oct. 18—with “high confidence” that the incident potentially included the sensitive information. 

“Initial information indicates that HMS acted in violation of its obligations to CMS, and CMS continues to investigate the incident,” the letter reads. 

In addition to the banking information, the breach may have included the beneficiaries’ name, address, date of birth, social security number and Medicare Beneficiary Identifier, as well as Medicare entitlement, enrollment and premium information.  

CMS’ letter to the Medicare beneficiaries said the agency is unaware of identity fraud or their information being improperly used “as a direct result of this incident,” but that “out of an abundance of caution,” the agency will be issuing them a new Medicare card with a new number within the coming weeks. Beneficiaries can continue using their existing cards during the interim, the letter said.   

The agency also provided instructions for obtaining free credit monitoring services from Equifax.

CMS has not responded to a request for comment regarding the contractors’ cybersecurity measures or their compliance with any related requirements.