As much as 254,000 Medicare Beneficiaries Affected by CMS Subcontractor Ransomware Attack

On November 14, 2022, Health Care Management Solutions (HMS) based in Fairmont, WV submitted a data breach report to the HHS’ Office for Civil Rights that affected around 500,000 people. Back then, minimal details regarding the breach were disclosed. Now, it is confirmed that HMS encountered a ransomware attack on October 8, 2022.

Being a subcontractor of ASRC Federal Data Solutions, LLC (ASRC Federal), HMS is a business associate of the HHS’ Centers for Medicare and Medicaid Services (CMS). It provides services that include fixing system problems linked to beneficiary entitlement and premium payment files and helping with the collection of Medicare premiums from direct-paying beneficiary individuals.

The CMS stated the HMS does not manage Medicare claims data therefore no claims information was impacted and CMS systems were not breached; nevertheless, the cybercriminals liable for the attack may have seen the personally identifiable information (PII) and/or protected health information (PHI) of Medicare beneficiaries. The CMS states around 254,000 Medicare beneficiaries were potentially affected and had a few of their PII and PHI exposed.

The information compromised and possibly stolen in the attack included names, dates of birth, addresses, phone numbers, Social Security numbers, Medicare beneficiary identifiers, banking details, and Medicare entitlement, enrollment, and premium details. The CMS is sending breach notification letters to impacted beneficiaries of Medicare and mentioned they will be provided with updated Medicare cards along with new beneficiary identifiers. Free credit monitoring services are provided.

In October 2022, HMS suffered a cybersecurity incident resulting in unauthorized access to its network which impacted selected systems. HMS took action immediately and shut down its system so as to limit the incident. According to an HMS spokesperson, top external cybersecurity specialists were hired to investigate the incident, which stays ongoing. HMS takes patient privacy seriously, and regrets any issue this incident might have prompted in the community and will alert affected persons as per legal and contractual obligations.

HMS informed the CMS concerning the ransomware attack on October 9, 2022. On October 18, 2022, the CMS affirmed with certainty that Medicare beneficiary records were involved. Since then, the CMS is working with the contractor to know which people were affected. The investigation of the ransomware attack by CMS is in progress, however, the initial data suggests HMS was in violation of its commitments to CMS. The CMS stated it is not aware of any attempted or actual misuse of the PHI and PII of Medicare beneficiaries.

CMS Administrator Chiquita Brooks-LaSure mentioned that the protection and security of beneficiary data are of the highest importance to the agency. It is still assessing the impact of the breach concerning the subcontractor, assisting in support to persons possibly impacted by the incident, and will do all necessary actions to protect the data entrusted to CMS.