On November 14, 2022, Health Care Management Solutions (HMS) located in Fairmont, WV announced a data breach to the HHS’ Office for Civil Rights that affected approximately 500,000 people. During that time, limited information regarding the breach was revealed. Now, it is affirmed that HMS experienced a ransomware attack last October 8, 2022.
As a subcontractor of ASRC Federal Data Solutions, LLC (ASRC Federal), HMS is a business associate of the HHS Centers for Medicare and Medicaid Services (CMS). It provides services such as solving system glitches associated with beneficiary eligibility and premium payment data, along with assisting with the receipt of Medicare premiums from direct-paying beneficiaries.
The CMS stated the HMS doesn’t take care of Medicare claims details thus no claims records were impacted and CMS systems weren’t compromised; nonetheless, the cybercriminals responsible for the attack could have viewed the protected health information (PHI) and/or personally identifiable information (PII) of Medicare beneficiaries. The CMS claims about 254,000 Medicare beneficiaries were possibly affected and had a number of their PII and PHI exposed.
The data compromised and probably stolen during the ransomware attack included names, birth dates, addresses, telephone numbers, Medicare beneficiary identifiers, Social Security numbers, banking data, Medicare eligibility, enrollment, and premium details. The CMS is providing notification letters to impacted Medicare beneficiaries and mentioned they shall be given updated Medicare cards having new beneficiary identifiers. No-cost credit monitoring services are given.
Last October 2022, HMS encountered a cybersecurity occurrence that results in unauthorized access to its network which impacted some systems. HMS took action quickly and de-activated its system to be able to control the incident. Prominent external cybersecurity professionals were involved to kick-off investigating of the breach, which is still ongoing, according to an HMS representative. HMS considers patient privacy very seriously, and it is sorry for any problem this incident could have created in the community and will inform affected persons according to legal and contractual responsibilities.
HMS advised the CMS concerning the ransomware attack on October 9, 2022. On October 18, 2022, the CMS confirmed with confidence that Medicare beneficiary data was affected. From then on, the CMS is doing its work with the contractor to find out which people were affected. The investigation of the ransomware attack by CMS is in progress, nevertheless, the preliminary data signifies HMS behaved in violation of its responsibilities to CMS. The CMS stated it did not know of any attempted or actual improper use of the PHI and PII of Medicare beneficiaries.
CMS Administrator Chiquita Brooks-LaSure mentioned that the safety and security of beneficiary details are of the greatest importance to the company. It continues to assess the effect of the breach regarding the subcontractor, aid in support to persons likely impacted by the incident and will perform all needed actions to secure the records given to CMS.