The Centers for Medicare & Medicaid Services (CMS) announced on December 14 that they are responding to a data breach at Healthcare Management Solutions, LLC (HMS), a CMS subcontractor. HMS handles CMS data as part of processing Medicare eligibility and entitlement records, in addition to premium payments.
HMS was apparently the victim of a ransomware attack on its corporate network. While no CMS systems were breached, and no Medicare claims data was involved, there is the potential that personally identifiable information (PII) and/or protected health information (PHI) for up to 254,000 Medicare beneficiaries might have been accessed.
This week, CMS is mailing beneficiaries that have been potentially impacted a letter notifying them directly of the breach. CMS continues to investigate and assess the impact of the breach. CMS will send those who were affected an updated Medicare card with a new Medicare Beneficiary Identifier, offer free-of-charge credit monitoring services, and will provide additional information about the incident as it comes to light.