CMS Notifies Medicare Beneficiaries of Information Breach

In keeping with a Dec. 14 press release, the Facilities for Medicare & Medicaid Providers (CMS) is responding to an information breach at Healthcare Administration Options, LLC (HMS), a subcontractor of ASRC Federal Information Options, LLC (ASRC Federal), that probably includes Medicare beneficiaries’ personally identifiable data (PII) and/or protected well being data (PHI).

The press launch says that “No CMS techniques have been breached and no Medicare claims knowledge have been concerned. Preliminary data signifies that HMS acted in violation of its obligations to CMS and that the incident involving HMS has the potential to influence as much as 254,000 Medicare beneficiaries’ personally identifiable data out of the over 64 million beneficiaries that CMS serves. This week, CMS is mailing beneficiaries which were doubtlessly impacted a letter from CMS notifying them instantly of the breach.”

The letter, which is posted in full within the press launch, states that “On October 8, 2022, Healthcare Administration Options (HMS), LLC, a CMS subcontractor, was topic to a ransomware assault on its company community. HMS handles CMS knowledge as a part of processing Medicare eligibility and entitlement data, along with premium funds. Preliminary data signifies that HMS acted in violation of its obligations to CMS, and CMS continues to examine the incident. No CMS techniques have been breached, and no Medicare claims knowledge have been concerned. On October 9, 2022, CMS was notified that the subcontractor’s techniques had been topic to a cybersecurity incident however CMS techniques weren’t concerned. As extra data grew to become accessible, on October 18, 2022, CMS decided with excessive confidence that the incident doubtlessly included personally identifiable data and guarded well being data for some Medicare enrollees. Since then, CMS has been working diligently with the contractor to find out what data and which people might have been impacted.”

The letter notes that private and Medicare data that might have been compromised consists of: title, deal with, date of beginning, telephone quantity, Social Safety Quantity, Medicare Beneficiary Identifier, banking data (together with routing and account numbers), and Medicare entitlement, enrollment, and premium data. The letter says that no claims knowledge have been concerned in this incident.

CMS says that when the incident was reported an investigation with the contractor and cybersecurity specialists started instantly. The investigation is ongoing.

“The providers supplied to CMS beneath the contract with ASRC Federal embody resolving system errors associated to Medicare beneficiary entitlement and premium fee data,” the press launch notes. “The contractors’ providers additionally help the gathering of Medicare premiums from the direct-paying beneficiary inhabitants. The contractor doesn’t deal with Medicare claims data.”