A CMS contractor has agreed to pay a $306,722 fine for not securing screenshots of patient data.
ASRC Federal Data Solutions LLC, which provides Medicare support services, and a subcontractor stored screenshots from CMS systems containing personally identifiable information and possibly personal health data of Medicare beneficiaries, violating contractual cybersecurity requirements, according to the settlement agreement.
A third party improperly accessed the subcontractor's server in 2022 using authorized credentials, allegedly breaching the unencrypted screenshots.
"Safeguarding patients' sensitive personal information is of paramount importance," said Stephen Niemczak, special agent in charge of HHS' Office of the Inspector General, in an Oct. 15 statement. "This settlement demonstrates the commitment by HHS-OIG and our law enforcement partners to use every available tool to protect the healthcare data of all Americans."