(The Center Square) Hundreds of thousands of Americansā personal information is at risk after Medicareās data was breached. Now, lawmakers want answers.
House Committee on Oversight and Accountability Chairman James Comer, R-Ky., and House Committee on Energy and Commerce Chair Cathy McMorris Rodgers, R-Wash., sent a letter demanding a range of documents and communications from the Centers for Medicare & Medicaid Services.
Lawmakers said that in October of last year Healthcare Management Solutions, a subcontractor to ASRC Federal Data Solutions, which works for CMS, suffered a ransomware attack. CMS ādetermined with high confidence that the incident potentially included personally identifiable information and protected health information for some Medicare enrollees.ā
āHowever, it was not until December 1, 2022, that CMS made the determination that the data breach constituted a āmajor incident,ā as defined in the Federal Information Security Modernization Act of 2014,ā the letter said.
Lawmakers blasted CMS, saying they dragged their feet in response to the hack.
āIn other words, bad actors had access to Medicare beneficiariesā information for two months before CMS determined this ransomware attack was a āmajor incident,ā triggering a legal obligation to inform Congress of such incident,ā the letter said. āThe compromised information potentially includes the following personally identifiable information (PII) and protected health information (PHI): name, address, date of birth, phone number, Social Security Number, Medicare beneficiary identifier, banking information, including routing and account numbers, and Medicare entitlement, enrollment, and premium information.ā
CMS said in December it was sending a letter to notify those affected and investigating the matter.
āThe safeguarding and security of beneficiary information is of the utmost importance to this Agency,ā said CMS Administrator Chiquita Brooks-LaSure. āWe continue to assess the impact of the breach involving the subcontractor, facilitate support to individuals potentially affected by the incident, and will take all necessary actions needed to safeguard the information entrusted to CMS.ā
Hereās an excerpt from that letter:
After careful review, we have determined that your personal and Medicare information may have been compromised. This information may have included the following:
- Name
- Address
- Date of Birth
- Phone Number
- Social Security Number
- Medicare Beneficiary Identifier
- Banking information, including routing and account numbers
- Medicare Entitlement, Enrollment, and Premium Information.
No claims data were involved in this incident.
This isnāt the only time Americansā data has been mishandled by the federal government in recent years. Lawmakers are still pressuring the Internal Revenue Service for answers after it leaked the tax information of thousands of Americans to a nonprofit journalism group.
Lawmakers are investigating that leak but so far have gotten few answers.
