Data Breach Involves 254K Medicare Beneficiaries
A business associate of a government contractor is hit with a ransomware attack.
The Centers for Medicare & Medicaid Services (CMS) confirms that Healthcare Management Solutions, LLC (HMS), a subcontractor of ASRC Federal Data Solutions, LLC (ASRC Federal), experienced a data breach in the form of a ransomware attack. The breach may have exposed some Medicare beneficiaries’ personally identifiable information (PII) and protected health information (PHI); however, none of CMS’ systems were breached and no claims data were involved.
CMS Responds to Breach
CMS mailed letters in December 2022 to 254,000 Medicare enrollees who may have been affected. The Oct. 8, 2022, breach may have compromised PII and PHI including names, home addresses, banking information, and Social Security numbers.
“The safeguarding and security of beneficiary information is of the utmost importance to this agency,” said CMS Administrator Chiquita Brooks-LaSure. “We continue to assess the impact of the breach involving the subcontractor, facilitate support to individuals potentially affected by the incident, and will take all necessary actions needed to safeguard the information entrusted to CMS.”
Since the incident, CMS has been working with ASRC Federal to determine what information and which individuals may have been affected. CMS reported that it is unaware of any attempted or actual misuse of Medicare beneficiaries’ PII or PHI. The data breach will not affect Medicare benefits or coverage.
As a precautionary measure, CMS is issuing affected enrollees new Medicare cards with a new Medicare Beneficiary Identifier number. Those affected are also encouraged to contact their financial institutions to alert them that their banking information may be compromised. CMS is also offering free-of-charge Equifax Complete Premier credit monitoring services to those affected.
Here’s What Happened
The contract services ASRC Federal provides to CMS as a business associate include resolving system errors related to Medicare beneficiary entitlement and premium payment records and collecting Medicare premiums from the direct-paying beneficiary population. HMS does not handle Medicare claims information.
HIPAA defines a business associate as a person or entity who performs certain functions or activities on behalf of a covered entity that involve the use or disclosure of PHI. This includes creating, receiving, maintaining, and transmitting PHI. The ongoing investigation shows that HMS’ actions violated its obligations to CMS.
HIPAA Breach Notification Requirements:
- Companies must send an individual notice to the affected patient(s) within 60 days following the discovery of an unsecured PHI breach. This notice must be in written form by first class mail or via email when the affected patient has agreed to receive notices electronically.
- If the breach involves more than 500 patients, the company must take the additional step of providing notice to prominent media outlets serving that state or jurisdiction where the breach occurred. This notice can be accomplished in the form of a press release. As with individual notice, this must be accomplished within 60 days of discovery of the privacy breach and must include the same information provided in the individual notice.
- Companies must notify the secretary of the U.S. Department of Health & Human Services (HHS) of unsecured PHI breaches by submitting a breach report form (available on the HHS website). If the breach affects more than 500 patients, the practice must complete this task “without unreasonable delay,” but no later than 60 days following discovery. If the breach affects fewer than 500 patients, the practice can notify the secretary annually. Annual reports must be received no later than 60 days from the end of the calendar year when the breach(es) occurred.
- Medicare Updates IVIG Demonstration Payment for 2023 - January 26, 2023
- Data Breach Involves 254K Medicare Beneficiaries - January 6, 2023