CMS said a ransomware attack on a subcontractor may have affected as many as 254,000 Medicare beneficiaries and breached such personal data as Social Security numbers and bank account numbers.
Healthcare Management Solutions, which processes Medicare eligibility, entitlement records and premium payments, experienced a ransomware attack Oct. 8, CMS said. The company is a subcontractor of ASRC Federal Data Solutions.
"Initial information indicates that HMS acted in violation of its obligations to CMS, and CMS continues to investigate the incident," the agency wrote in the Dec. 14 news release.
CMS has begun notifying affected individuals, who will get a new Medicare card and number. The breached data may have included names, addresses, dates of birth, Social Security numbers, Medicare beneficiary identifiers, bank routing and account numbers, and Medicare entitlement, enrollment and premium information. No claims data was affected, CMS said.
"Patient privacy has always been our top priority, and we have steadfastly maintained our obligation to patients and to any agency or contractor with which we have worked," Healthcare Management Solutions emailed in a statement to Becker's. "We regret any concern this incident may have caused our community and will notify impacted individuals pursuant to legal and contractual obligations."