Up to 254,000 Medicare beneficiaries are getting new ID cards due to data breach at subcontractor. What they need to know

Up to 254,000 Medicare beneficiaries’ personal information may have been compromised in an online ransomware attack at a government subcontractor, officials warned this week.

Letters are being sent to the beneficiaries who were impacted by the potential data breach, said the Centers for Medicare & Medicaid Services. Those affected — who represent less than 0.4% of Medicare’s 64.5 million beneficiaries — will also receive a replacement Medicare card with a new identification number in the next few weeks.

“The safeguarding and security of beneficiary information is of the utmost importance to this agency,” CMS Administrator Chiquita Brooks-LaSure said in the announcement.

More from Personal Finance:
Used car prices are down 3.3% from a year ago
63% of Americans living paycheck to paycheck
How health insurance is helping cool inflation

“We continue to assess the impact of the breach involving the subcontractor, facilitate support to individuals potentially affected by the incident, and will take all necessary actions needed to safeguard the information entrusted to CMS,” Brooks-LaSure said.

The personal information that could have been compromised include name, address, date of birth, phone number, Social Security number, Medicare beneficiary identifier, banking information (including routing and account numbers) and Medicare entitlement, enrollment and premium information.

Free credit-monitoring also is being offered to the impacted individuals; the letters being sent include information on how to sign up for the service.

No CMS systems were breached, and no Medicare claims data were involved, according to the announcement. The agency also is not aware of any reports of identity fraud or improper use of the personal information as a direct result of the incident.

The subcontractor, Healthcare Management Solutions, experienced the ransomware attack on its corporate network on Oct. 8, according to CMS. The company handles the agency data as part of processing Medicare eligibility and entitlement records, as well as premium payments.

CMS was alerted the day after the attack, and on Oct. 18, officials “determined with high confidence that the incident potentially included personally identifiable information and protected health information for some Medicare enrollees,” according to the CMS release. 

For its part, Healthcare Management Solutions told CNBC that it acted swiftly to take its network offline to contain the cybersecurity incident and an investigation remains ongoing. In a statement, the company said it also regrets “any concern this incident may have caused our community and will notify impacted individuals pursuant to legal and contractual obligations.”

In the first half of 2022, more than 53 million individuals in the U.S. were affected by data compromises, according to Statista. In 2021, the three most affected industries were healthcare, financial services and manufacturing.