Cyber Incident Victim: Healthcare Management Solutions, LLC
Date:
Oct 2022
Location:
United States of America
Summary
A ransomware attack targeted Healthcare Management Solutions, LLC, a subcontractor handling Medicare beneficiary entitlement and premium payment records, compromising personal and health information for up to 254,000 individuals. Exposed data included names, addresses, Social Security Numbers, Medicare Beneficiary Identifiers, banking details, and enrollment information, though no CMS systems or Medicare claims data were breached. The subcontractor violated its obligations to CMS, prompting the agency to issue new Medicare cards with updated identifiers and offer free credit monitoring services to affected beneficiaries while continuing its investigation into the incident.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On October 8, 2022, Healthcare Management Solutions, LLC (HMS), a subcontractor for ASRC Federal Data Solutions under a Centers for Medicare & Medicaid Services (CMS) contract, experienced a ransomware attack on its corporate network. The breach involved unauthorized access to systems processing Medicare beneficiary entitlement and premium payment records, though no CMS systems or Medicare claims data were compromised. CMS was notified of the cybersecurity incident on October 9, 2022, and by October 18, 2022, confirmed with high confidence that personally identifiable information (PII) and protected health information (PHI) of Medicare beneficiaries had been potentially exposed. Initial investigations revealed HMS violated its contractual obligations to CMS in handling sensitive data. The incident impacted approximately 254,000 Medicare beneficiaries out of CMS's total enrollment of over 64 million individuals, exposing names, addresses, dates of birth, phone numbers, Social Security Numbers, Medicare Beneficiary Identifiers, banking details (including routing and account numbers), and Medicare entitlement, enrollment, and premium information.
CMS initiated a multi-phase response, mailing notification letters to affected beneficiaries starting the week of October 8, 2022. The agency offered free Equifax Complete Premier credit monitoring services with enrollment deadlines specified in the correspondence and issued new Medicare cards with updated Medicare Beneficiary Identifiers to all potentially impacted individuals. Beneficiaries were instructed to destroy their old cards upon receiving replacements and to notify healthcare providers of their new identifiers. CMS emphasized that Medicare benefits and coverage remained unaffected and advised individuals to contact financial institutions proactively due to potential banking data exposure. The agency launched an ongoing investigation with cybersecurity experts and the contractor to determine the full scope of the breach while reiterating its commitment to safeguarding beneficiary information. No identity fraud or misuse of data directly linked to the incident had been reported at the time of the public disclosure.