CMS subcontractor breach potentially exposes data of 254,000 Medicaid beneficiaries

Healthcare Management Solutions, LLC suffered a ransomware attack on its corporate network on Oct. 8, which CMS has been investigating since.

A Centers for Medicare and Medicaid Services subcontractor experienced a breach that may have exposed Medicare beneficiaries’ banking information, Social Security Numbers and other sensitive data, the agency announced Wednesday.

Healthcare Management Solutions, LLC (HMS), a subcontractor of ASRC Federal Data Solutions, LLC (ASRC Federal), violated its obligations to CMS and potentially 254,000 of its 64 million Medicare beneficiaries whose personally identifiable and protected health information may have been exfiltrated, according to the agency.

President Biden issued an executive order in February 2021 in an effort to shore up agencies’ supply chains, after Russia-linked hackers breached federal contractor SolarWinds’ software supply chain  — compromising nine agencies. Supply chain attacks continue to increase, prompting multiple reviews by the Department of Homeland Security’s Cyber Safety Review Board.

“The safeguarding and security of beneficiary information is of the utmost importance to this agency,” said CMS Administrator Chiquita Brooks-LaSure in a statement. “We continue to assess the impact of the breach involving the subcontractor, facilitate support to individuals potentially affected by the incident and will take all necessary actions needed to safeguard the information entrusted to CMS.”


ASRC Federal resolves system errors related to Medicare beneficiary entitlement and premium payment records and supports premium collection from direct payers for CMS. Subcontractor HMS suffered a ransomware attack on its corporate network on Oct. 8, which it notified CMS of the next day.

After an initial investigation, CMS concluded on Oct. 18 its data that HMS handled was potentially compromised for some Medicare beneficiaries.

CMS continues to notify beneficiaries whose information may have been exfiltrated by letter that they’ll receive an updated Medicare card with a new Medicare Beneficiary Identifier, which also may have been compromised; free credit monitoring services; and incident updates.

No CMS systems were breached or Medicare claims data involved. But names, addresses, dates of birth, phone numbers, Social Security Numbers, Medicare Beneficiary Identifiers, banking information including routing and account numbers, and Medicare entitlement, enrollment and premium information were potentially compromised, according to the agency.

Affected beneficiaries are advised to destroy their old Medicare card upon receipt of the new one, contact their financial institutions and enroll in Equifax Complete Premier credit monitoring for free using the letter’s instructions.


“At this time, we’re not aware of any reports of identity fraud or improper use of your information as a direct result of this incident,” reads the letter sent to affected beneficiaries.

Healthcare Management Solutions was contacted for comment.

Latest Podcasts