Around 103,000 Medicare beneficiaries received notification about the compromise of some of their personal data and/or PHI during a data incident. The HHS Centers for Medicare and Medicaid Services (CMS) recently got notified about the creation of Medicare.gov accounts using the names of individuals without their knowledge. CMS investigated the incident and confirmed that an unidentified threat actor used the personal data acquired from unknown resources to create fake Medicare.gov accounts.
The CMS mentioned its Medicare call center began getting phone calls on May 2, 2025, from Medicare beneficiaries because they received confirmation letters about the creation of an account in their name, which they didn’t personally create.
CMS’ investigation showed that malicious actors had created fake Medicare.gov accounts for roughly 103,000 beneficiaries using legit beneficiary data, including their birth date, Medicare beneficiary identifier (MBI), start date of coverage, and zip code. The fraudulent accounts were created from 2023 to 2025. The data employed to create the accounts was probably acquired from a third-party data breach.
After creating the accounts, the threat actor can obtain more information, such as mailing address, provider details, diagnosis codes, dates of service, services received, and premium plan information. The CMS’s investigation did not find any report of data misuse thus far. However, as a safety measure, CMS gave the impacted beneficiaries a new MBI and deleted the fraudulent accounts. CMA also sent new Medicare cards with the new MBIs to the impacted beneficiaries.
CMS took additional safety steps because of the breach, such as blocking the creation of Medicare.gov accounts using foreign IP addresses. Claims data of the impacted individuals will be closely monitored by CMS. The impacted Medicare beneficiaries are urged to check their Explanation of Benefits statements and Medicare Summary Notices and file a report in case of strange charges or services.