Post Date: December 19, 2022

CMS Notifying Potentially Involved Beneficiaries and Providing Information on Free Credit Monitoring

The Centers for Medicare & Medicaid Services (CMS) is responding to a data breach at Healthcare Management Solutions, LLC (HMS), a subcontractor of ASRC Federal Data Solutions, LLC (ASRC Federal), which may involve Medicare beneficiaries’ personally identifiable information (PII) and/or protected health information (PHI). No CMS systems were breached and no Medicare claims data were involved. Initial information indicates that HMS acted in violation of its obligations to CMS and that the incident involving HMS has the potential to impact up to 254,000 Medicare beneficiaries’ personally identifiable information out of the over 64 million beneficiaries that CMS serves. This week, CMS is mailing beneficiaries that have been potentially impacted a letter from CMS notifying them directly of the breach. A copy of that letter can be found below.

“The safeguarding and security of beneficiary information is of the utmost importance to this Agency,” said CMS Administrator Chiquita Brooks-LaSure. “We continue to assess the impact of the breach involving the subcontractor, facilitate support to individuals potentially affected by the incident, and will take all necessary actions needed to safeguard the information entrusted to CMS.”

The services provided to CMS under the contract with ASRC Federal include resolving system errors related to Medicare beneficiary entitlement and premium payment records. The contractors’ services also support the collection of Medicare premiums from the direct-paying beneficiary population. The contractor does not handle Medicare claims information.

CMS is notifying Medicare beneficiaries whose PII and/or PHI may have been put at risk as a result of the breach that they will receive an updated Medicare card with a new Medicare Beneficiary Identifier, be offered free-of-charge credit monitoring services, and will provide additional information about the incident.

What Happened?

On October 8, 2022, Healthcare Management Solutions (HMS), LLC, a CMS subcontractor, was subject to a ransomware attack on its corporate network. HMS handles CMS data as part of processing Medicare eligibility and entitlement records, in addition to premium payments. Initial information indicates that HMS acted in violation of its obligations to CMS, and CMS continues to investigate the incident. No CMS systems were breached, and no Medicare claims data were involved. On October 9, 2022, CMS was notified that the subcontractor’s systems had been subject to a cybersecurity incident but CMS systems were not involved. As more information became available, on October 18, 2022, CMS determined with high confidence that the incident potentially included personally identifiable information and protected health information for some Medicare enrollees. Since then, CMS has been working diligently with the contractor to determine what information and which individuals may have been impacted.

What Information Was Involved?

After careful review, we have determined that your personal and Medicare information may have been compromised. This information may have included the following:

• Name
• Address
• Date of Birth
• Phone Number
• Social Security Number
• Medicare Beneficiary Identifier
• Banking information, including routing and account numbers
• Medicare Entitlement, Enrollment, and Premium Information.

No claims data were involved in this incident.

What We Are Doing?

When the incident was reported, we immediately started an investigation, working with the contractor and cybersecurity experts to identify what personal information, if any, might have been compromised. CMS is continuing to investigate this incident and will continue to take all appropriate actions to safeguard the information entrusted to CMS.

What You Can Do?

At this time, we’re not aware of any reports of identity fraud or improper use of your information as a direct result of this incident. However, out of an abundance of caution we are issuing you a new Medicare card with a new number. CMS will mail the new card to your address in the coming weeks. In the meantime, you can continue to use your existing Medicare card. After you get your new card, you should:

1. Follow the instructions in the letter that comes with your new card.
2. Destroy your old Medicare card.
3. Inform your providers that you have a new Medicare Number.

While we continue to investigate what, if any, banking information may have been compromised, if you have concerns, please contact your financial institution and let them know your banking information may have been compromised. Additionally, you can enroll in free Equifax Complete Premier credit monitoring service. You do not need to use your credit card to enroll in the service.   

To activate your free credit monitoring, visit the Equifax website to enroll at: 

www.equifax.com/activate

Visit CMS.gov for information and updates relating to this matter!

Follow Glo Services LLC on:
Facebook: @gloservices.us
YouTube: Glo Services LLC