Up to 254,000 Medicare Beneficiaries Affected by Ransomware Attack on CMS Subcontractor
On November 14, 2022, Fairmont, WV-based Health Care Management Solutions (HMS) reported a data breach to the HHS’ Office for Civil Rights that affected up to 500,000 individuals. At the time, few details about the breach were released. It has now been confirmed that HMS suffered a ransomware attack on October 8, 2022.
HMS is a subcontractor of ASRC Federal Data Solutions, LLC (ASRC Federal), which is a business associate of the HHS’ Centers for Medicare and Medicaid Services (CMS). The services provided include resolving system errors related to beneficiary entitlement and premium payment records, as well as supporting the collection of Medicare premiums from the direct-paying beneficiary population.
The CMS said the HMS does not handle Medicare claims information so no claims data was affected and CMS systems were not breached; however, the cybercriminals behind the attack may have accessed Medicare beneficiaries’ personally identifiable information (PII) and/or protected health information (PHI). The CMS says up to 254,000 Medicare beneficiaries have potentially been affected and had some of their PII and PHI exposed.
The information exposed and potentially stolen in the attack included names, addresses, birth dates, phone numbers, Social Security numbers, Medicare beneficiary identifiers, banking information, and Medicare entitlement, enrollment, and premium information. The CMS is issuing notification letters to affected Medicare beneficiaries and said they will be issued with updated Medicare cards with new beneficiary identifiers. Complimentary credit monitoring services are being provided.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
“In October 2022, HMS experienced a cybersecurity incident involving unauthorized access to our network which impacted limited systems. HMS acted swiftly to take the network offline in order to contain the incident. Industry-leading external cybersecurity experts were engaged to launch an investigation into the incident, which remains ongoing,” explained a spokesperson for HMS in a comment provided to HIPAA Journal. “Patient privacy has always been our top priority, and we have steadfastly maintained our obligation to patients and to any agency or contractor with which we have worked. We regret any concern this incident may have caused our community and will notify impacted individuals pursuant to legal and contractual obligations.”
HMS notified the CMS about the ransomware attack on October 9, 2022, and on October 18, 2022, the CMS determined with a high degree of confidence that Medicare beneficiary information was involved. Since that date, the CMS has been working with its contractor to determine which individuals were affected. The CMS investigation into the ransomware attack is ongoing, but the initial information indicates HMS acted in violation of its obligations to CMS. The CMS said it is unaware of any attempted or actual misuse of the PII and PHI of Medicare beneficiaries.
“The safeguarding and security of beneficiary information is of the utmost importance to this Agency,” said CMS Administrator Chiquita Brooks-LaSure. “We continue to assess the impact of the breach involving the subcontractor, facilitate support to individuals potentially affected by the incident, and will take all necessary actions needed to safeguard the information entrusted to CMS.”
