Skip to the main content.
Talk to sales Start for free
Talk to sales Start for free

2 min read

CMS responds to third-party data breach

CMS responds to third-party data breach

The Centers for Medicare & Medicaid Services (CMS) recently responded to a data breach at subcontractor Healthcare Management Solutions, LLC (HMS). The incident may have affected Medicare beneficiaries’ personally identifiable information (PII) and protected health information (PHI). 

According to the press release, “HMS acted in violation of its obligations to CMS and the incident has the potential to impact up to 254,000 Medicare beneficiaries out of the over 64 million beneficiaries that CMS serves.”

Keep reading to learn more about the data breach and what CMS is doing in response. Plus, find out how covered entities can protect themselves with a HIPAA compliant email platform.


What happened?


On October 8, HMS’ corporate network was targeted in a ransomware attack. As a CMS subcontractor, HMS resolves system errors connected to Medicare beneficiary entitlement. The company also helps collect premiums from the direct-paying beneficiary population. 

CMS was informed of the cybersecurity incident on October 9. However, it was initially found that no CMS systems or Medicare claims data were involved. As soon as the incident was reported, CMS immediately began an investigation to uncover what personal information may have been compromised.

On October 18, CMS determined that the incident potentially included PII and PHI for certain Medicare enrollees. Specifically, exposed data might have included the following:

  • Name
  • Address
  • Date of Birth
  • Phone Number
  • Social Security Number
  • Medicare Beneficiary Identifier
  • Banking information, including routing and account numbers
  • Medicare Entitlement, Enrollment, and Premium Information


How is CMS responding to the data breach? 


CMS is mailing letters to all potentially impacted beneficiaries to directly inform them of the data breach. The company states that they are “continuing to investigate this incident and will take all appropriate actions to safeguard the information entrusted to CMS.”

While CMS is not aware of any identity fraud cases connected to the breach, they are still issuing new Medicare cards with a new Beneficiary Identifier out of an abundance of caution. Beneficiaries are also being offered Equifax Complete Premier credit monitoring services free-of-charge. 

“The safeguarding and security of beneficiary information is of the utmost importance to this Agency,” said CMS Administrator Chiquita Brooks-LaSure. “We continue to assess the impact of the breach involving the subcontractor, facilitate support to individuals potentially affected by the incident, and will take all necessary actions needed to safeguard the information entrusted to CMS.”


Protect your organization with Paubox


Healthcare providers can avoid data breaches in the first place by making risk management a top priority. This includes ensuring that every third-party vendor is willing to sign a business associate agreement (BAA), which outlines the responsibilities of the business associate to keep protected health information (PHI) secure.

And with email serving as a leading entry point for cybercrime, human error is often at fault for letting ransomware into a network system. Therefore, it is critical for healthcare providers to safeguard PHI at every stage with a HIPAA compliant email provider.

Designed to seamlessly integrate with your existing email platform, Paubox Email Suite enables HIPAA compliant email by default to ensure automatic compliance with HIPAA email rules. This means you don’t have to spend time deciding which emails to encrypt and your patients are able to receive your messages right in their inbox—no additional passwords or portals necessary. 

In addition to healthcare email encryption, Paubox Email Suite’s Plus and Premium plan levels include robust inbound email security tools that block ransomware and other cyberattacks from even reaching the inbox in the first place. Our patent-pending Zero Trust Email feature uses email AI to confirm that an email is legitimate. Additionally, our patented ExecProtect solution quickly intercepts display name spoofing attempts.

Subscribe to Paubox Weekly

Every Friday we'll bring you the most important news from Paubox. Our aim is to make you smarter, faster.