Personal data of 250,000 Medicare recipients compromised by federal subcontractor during ransomware attack



Hundreds of thousands of Americans’ personal information is at risk after Medicare’s data was breached. Now, lawmakers want answers.

House Committee on Oversight and Accountability Chairman James Comer, R-Ky., and House Committee on Energy and Commerce Chair Cathy McMorris Rodgers, R-Wash., sent a letter demanding a range of documents and communications from the Centers for Medicare & Medicaid Services.

Lawmakers said that in October of 2022, Healthcare Management Solutions, a subcontractor to ASRC Federal Data Solutions, which works for CMS, suffered a ransomware attack. CMS “determined with high confidence that the incident potentially included personally identifiable information and protected health information for some Medicare enrollees.”

“However, it was not until December 1, 2022, that CMS made the determination that the data breach constituted a ‘major incident,’ as defined in the Federal Information Security Modernization Act of 2014,” the letter said.

Lawmakers blasted CMS, saying they dragged their feet in response to the hack.

“In other words, bad actors had access to Medicare beneficiaries’ information for two months before CMS determined this ransomware attack was a ‘major incident,’ triggering a legal obligation to inform Congress of such incident,” the letter said. “The compromised information potentially includes the following personally identifiable information (PII) and protected health information (PHI): name, address, date of birth, phone number, Social Security Number, Medicare beneficiary identifier, banking information, including routing and account numbers, and Medicare entitlement, enrollment, and premium information.”

CMS said in December it was sending a letter to notify those affected and investigating the matter.

“The safeguarding and security of beneficiary information is of the utmost importance to this Agency,” said CMS Administrator Chiquita Brooks-LaSure. “We continue to assess the impact of the breach involving the subcontractor, facilitate support to individuals potentially affected by the incident, and will take all necessary actions needed to safeguard the information entrusted to CMS.”

Here’s an excerpt from that letter:

After careful review, we have determined that your personal and Medicare information may have been compromised. This information may have included the following:

  • Name
  • Address
  • Date of Birth
  • Phone Number
  • Social Security Number
  • Medicare Beneficiary Identifier
  • Banking information, including routing and account numbers
  • Medicare Entitlement, Enrollment, and Premium Information.

No claims data were involved in this incident.

This isn’t the only time Americans’ data has been mishandled by the federal government in recent years. Lawmakers are still pressuring the Internal Revenue Service for answers after it leaked the tax information of thousands of Americans to a nonprofit journalism group.

Lawmakers are investigating that leak but so far have gotten few answers. 

Casey Harper is a Senior Reporter for the Washington, D.C. Bureau. He previously worked for The Daily Caller, The Hill, and Sinclair Broadcast Group. A graduate of Hillsdale College, Casey’s work has also appeared in Fox News, Fox Business, and USA Today.


  1. News flash because of incompetent public employees who want raises and can’t be fired let data out of their files. I just can’t be leave the federal government is so Incompetent and would do this. What will we do . I guess we should just print everybody’s information and mail it out to everybody.

  2. Name
    Date of Birth
    Phone Number
    Social Security Number
    Medicare Beneficiary Identifier
    Banking information, including routing and account numbers
    Medicare Entitlement, Enrollment, and Premium Information.
    As long as it wasn’t those little 3 digit security codes on the back.

  3. Just wonderful. HMS is the new fiscal agent contracted by Alaska Department of Health Division of Healthcare Services to manage all of the Medicaid billing for the State of Alaska.

  4. Things like this are going to occur more frequently. As a nation (even globally), we have all passively signed off on doing business and recreation digitally. All software can be hacked.

  5. We demand the information on every public employee and politician. It’s only right sense they have ours. The taxpayer should have all the records and documents. Remember these politicians say transparency is what they stand for. No more secrets we have a right to know.

Comments are closed.