Subcontractor Breach Affects 245K Medicare BeneficiariesCMS: Vendor 'Violated Obligations' to Agency; New Medicare Cards, IDs Being Issued
Nearly a quarter million Medicare beneficiaries require new identifiers and ID cards following a ransomware attack on a government contractor that compromised a range of sensitive personal and health information.
The Centers for Medicare and Medicaid Services in a statement Wednesday said it is notifying 245,000 Medicare beneficiaries affected by a data breach experienced by a subcontractor to a company hired to resolve system errors related to beneficiary entitlement and premium payment records. Approximately 64 million Americans benefit from Medicare.
The subcontractor is Healthcare Management Solutions and the main contractor is ASRC Federal Data Solutions. CMS wrote in its breach notification letter without elaboration that an initial investigation points to the subcontractor having "acted in violation of its obligations."
The incident may have exposed sensitive data including names; birthdates; phone numbers; Medicare identifiers; banking information, such as routing and account numbers; Medicare enrollment, entitlement and premium information; and Social Security numbers.
Ransomware hackers did not compromise federal systems or obtain Medicare claims data, CMS says. The attack occurred on Oct. 8 on HMS' corporate network.
After this story ran, HMS provided a statement to Information Security Media Group stating that it "acted swiftly to take the network offline in order to contain the incident. Industry-leading external cybersecurity experts were engaged to launch an investigation into the incident, which remains ongoing."* The company says it regrets "any concern this incident may have caused our community and will notify impacted individuals pursuant to legal and contractual obligations.”
New IDs, New Cards
The federal agency says it will offer affected individuals complimentary credit monitoring and will issue new Medicare cards and ID numbers to the beneficiaries affected. It is unaware at this time of any identity fraud associated with the incident.
Medicare IDs in years past were based on beneficiaries' Social Security numbers. CMS in 2018 began replacing those ID numbers with new ones not connected to the Social Security program following concerns about identity fraud.
Because Medicare ID numbers issued today are unique and not tied to the Social Security numbers, making an ID change to combat identity theft or fraud can be a useful step in minimizing the impacts, says Dave Bailey, vice president of security services at consultancy CynergisTek.
Bailey says it is also possible for individuals to get a new Social Security number issued by contacting the Social Security Administration in the wake of a serious compromise. "However, it would be important to understand the impacts of changing a number that has been uniquely connected to your financial and medical identity throughout your lifetime."
The incident involving HMS is the latest of a growing list of serious health data breaches reported so far this year involving vendors.
The HHS' Office for Civil Rights HIPAA Breach Reporting Tool website shows breaches in 2022 involving business associates - including ransomware attacks and other hacking incidents - were a leading cause in protected health information compromises.
Business associates were involved in about 40% of the nearly 700 major health data breaches reported to federal regulators this year. A business associate breach can have an outsize effect: they affected nearly half of the almost 50 million people caught up in a health breach.
"All vendors that provide support to the healthcare industry are potential targets, and the threat actors are exploiting their weaknesses to gain access, steal valuable data and extort the business for financial gain," Bailey says.
Privacy attorney Iliana Peters of the law firm Polsinelli recommends any business covered by HIPAA look closely at its business associate agreements to ensure that it clearly delineates important security incident and breach requirements.
Bailey says entities need to continually assess the risk to their organizations, including all their vendors. "Practice your response plans and validate that the controls you have in place will minimize impacts from cyberattacks."
*Update Dec. 19, 2022 16:30 UTC: Adds comment from HMS.