The Centers for Medicare and Medicaid Services (CMS) announced it is responding to a data breach at Healthcare Management Solutions, a subcontractor of ASRC Federal Data Solutions. The breach may involve Medicare beneficiaries’ personally identifiable information (PII) and/or protected health information (PHI).
CMS contracts with ASRC Federal to system errors related to Medicare beneficiary entitlement and premium payment records. The contractors also support Medicare premium collections from the direct-paying beneficiary population, though the contractor does not handle Medicare claims information.
According to the agency, no CMS systems were breached nor were any Medicare claims data involved. However, the breach may affect up to 254,000 Medicare beneficiaries’ PII. CMS noted that initial information shows HMS acted in violations of its obligations to CMS, which serves more than 64 million beneficiaries.
“The safeguarding and security of beneficiary information is of the utmost importance to this Agency,” CMS Administrator Chiquita Brooks-LaSure said in a statement. “We continue to assess the impact of the breach involving the subcontractor, facilitate support to individuals potentially affected by the incident, and will take all necessary actions needed to safeguard the information entrusted to CMS.”
The data breach comes after CMS recently warned the healthcare industry about a new ransomware threat, Royal. Healthcare data breaches have become increasingly costly to healthcare providers, costing an average of $10 million per breach, according to one recent study.
CMS said it is notifying beneficiaries who may be affected that their information may have been breached. The agency is also sending updated Medicare cards with a new Medicare Beneficiary Identifier. In addition, they will be offered free-of-charge credit monitoring services, and CMS will provide additional information about the incident. CMS instructed beneficiaries to destroy their old Medicare card and inform providers of their new number.
The agency said it immediately started an investigation when it found out about the data breach and worked with the contractor and cybersecurity experts to identify what personal information, if any, might have been compromised.
“CMS is continuing to investigate this incident and will continue to take all appropriate actions to safeguard the information entrusted to CMS,” the agency said.