Subcontractor data breach

CMS Project Subcontractor Suffers Cyber Attack, Compromising Medicare Beneficiary Health Data

Healthcare Management Solutions has suffered a ransomware attack that may have compromised the personal health information of up to 254,000 Medicare beneficiaries, including Social Security numbers, banking details and other identifiers.

The company is a subcontractor under an ongoing ASRC Federal Data Solutions project with the Centers for Medicare and Medicaid Services. HMS provides troubleshooting services relating to entitlement and premium payment records and collects such premiums from direct payers.

According to a press release, CMS systems and Medicare claims data were left untouched. The agency is notifying beneficiaries about the leak and is planning to issue updated Medicare cards with new identifiers and offer free credit monitoring services.

Administrator Chiquita Brooks-LaSure said efforts are ongoing to assess the breach’s impact, support affected individuals and protect held information, CMS said Wednesday.

Earlier in December, Noblis secured a subcontract under a four-year CMS deal held by Aquia to deliver a software-as-a-service governance solution and a cyber risk review process. The agency aims to meet cybersecurity requirements handed down by the Biden administration.

ICF won two task orders in November to upgrade and maintain CMS’ online health data sharing and health care quality assessment services. The efforts are intended to improve public and professional access to such information.