miodrag ignjatovic | E+ | Getty Images
As many as 254,000 pieces of Medicare beneficiary’s personal information could have been compromised in an online ransomware attack on a government contractor, officials warned this week.
Letters will be sent to beneficiaries affected by the potential data breach, the Centers for Medicare & Medicaid Services said. Those affected — who make up less than 0.4% of Medicare’s 64.5 million beneficiaries — will also receive a replacement Medicare card with a new identification number in the next few weeks.
“The privacy and security of beneficiary information is of the utmost importance to this agency,” CMS Administrator Chiquita Brooks-LaSure said in the announcement.
More from Personal Finance:
Used car prices fell by 3.3% compared to the previous year
63% of Americans live paycheck to paycheck
How health insurance is helping cool inflation
“We continue to assess the impact of the breach involving the subcontractor, facilitate assistance to those who may be affected by the incident, and will take all necessary steps to protect the information entrusted to CMS,” Brooks-LaSure said .
Personal information that may be at risk includes name, address, date of birth, phone number, social security number, Medicare beneficiary identifier, banking information (including routing and account numbers), and information about Medicare entitlements, enrollments, and awards.
Free credit monitoring is also offered to data subjects; The letters sent contain information on how for the service.
According to the announcement, no CMS systems were breached and no Medicare claim data was involved. The agency is also not aware of any reports of identity fraud or misuse of personal data as a direct result of the incident.
Subcontractor Healthcare Management Solutions experienced the ransomware attack on its corporate network on October 8, according to CMS. The Company processes the agency data as part of the processing of Medicare eligibility and eligibility records and premium payments.
CMS was alerted the day after the attack, and on Oct. 18 officials “determined with high confidence that the incident may have involved personally identifiable information and protected health information for some Medicare members,” according to the CMS publication.
For its part, Healthcare Management Solutions told CNBC that it acted quickly to take its network offline to contain the cybersecurity incident and an investigation is ongoing. In a statement, the company said it also “regrets any concern this incident may have caused in our community and will notify affected individuals in accordance with legal and contractual obligations.”
According to Statista, more than 53 million people in the US were affected by data breaches in the first half of 2022. In 2021, the three hardest hit industries were healthcare, financial services and manufacturing.