Skip to main content
Press Release Published: Mar 20, 2023

Comer, Rodgers Press for Information on Data Breach of Thousands of Medicare Beneficiaries’ Personally Identifiable Information

Send letter to CMS requesting all documents and communications related to ransomware attack

WASHINGTON—House Committee on Oversight and Accountability Chairman James Comer (R-Ky.) and House Committee on Energy and Commerce Chair Cathy McMorris Rodgers (R-Wash.) are calling on Centers for Medicare & Medicare Services (CMS) Administrator Chiquita Brooks-LaSure to provide documents and communications to assist in investigating CMS’s response to a data breach impacting personally identifiable information of approximately 254,000 Medicare beneficiaries.

“On October 8, 2022, [Healthcare Management Solutions, LLC (HMS)] ‘was subject to a ransomware attack on its corporate network.’ CMS was notified about the data breach a day later, and on October 18, 2022, CMS ‘determined with high confidence that the incident potentially included personally identifiable information and protected health information for some Medicare enrollees.’ However, it was not until December 1, 2022, that CMS made the determination that the data breach constituted a ‘major incident,’ as defined in the Federal Information Security Modernization Act of 2014,” wrote Chairs Comer and Rodgers.

After becoming aware of a major data breach and potential exposure of Medicare beneficiaries’ personal information, it took CMS two months to determine that the data breach constituted a “major incident” as defined in the Federal Information Security Modernization Act (FISMA).

“In other words, bad actors had access to Medicare beneficiaries’ information for two months before CMS determined this ransomware attack was a ‘major incident,’ triggering a legal obligation to inform Congress of such incident. […] The compromised information potentially includes the following personally identifiable information (PII) and protected health information (PHI): name, address, date of birth, phone number, Social Security Number, Medicare beneficiary identifier, banking information, including routing and account numbers, and Medicare entitlement, enrollment, and premium information,” continued Chairs Comer and Rodgers.

The letter to the Honorable Chiquita Brooks-LaSure, administrator at the Centers for Medicare & Medicaid Services, can be found here.