On November 14, 2022, Fairmont, WV-based Health Care Management Solutions (HMS) reported a data breach to the HHS’ Office for Civil Rights that affected up to 500,000 individuals. At the time, few details about the breach were released. It has now been confirmed that HMS suffered a ransomware attack on October 8, 2022.
HMS is a subcontractor of ASRC Federal Data Solutions, LLC (ASRC Federal), which is a business associate of the HHS’ Centers for Medicare and Medicaid Services (CMS). The services provided include resolving system errors related to beneficiary entitlement and premium payment records, as well as supporting the collection of Medicare premiums from the direct-paying beneficiary population.
The CMS said the HMS does not handle Medicare claims information so no claims data was affected and CMS systems were not breached; however, the cybercriminals behind the attack may have accessed Medicare beneficiaries’ personally identifiable information (PII) and/or protected health information (PHI). The CMS says up to 254,000 Medicare beneficiaries have potentially been affected and had some of their PII and PHI exposed.
The information exposed and potentially stolen in the attack included names, addresses, birth dates, phone numbers, Social Security numbers, Medicare beneficiary identifiers, banking information, and Medicare entitlement, enrollment, and premium information. The CMS is issuing notification letters to affected Medicare beneficiaries and said they will be issued with updated Medicare cards with new beneficiary identifiers. Complimentary credit monitoring services are being provided.
HMS notified the CMS about the ransomware attack on October 9, 2022, and on October 18, 2022, the CMS determined with a high degree of confidence that Medicare beneficiary information was involved. Since that date, the CMS has been working with its contractor to determine which individuals were affected. The CMS investigation into the ransomware attack is ongoing, but the initial information indicates HMS acted in violation of its obligations to CMS. The CMS said it is unaware of any attempted or actual misuse of the PII and PHI of Medicare beneficiaries.
“The safeguarding and security of beneficiary information is of the utmost importance to this Agency,” said CMS Administrator Chiquita Brooks-LaSure. “We continue to assess the impact of the breach involving the subcontractor, facilitate support to individuals potentially affected by the incident, and will take all necessary actions needed to safeguard the information entrusted to CMS.”
The post Up to 254,000 Medicare Beneficiaries Affected by Ransomware Attack on CMS Subcontractor appeared first on HIPAA Journal.