CMS subcontractor hit with ransomware


CMS was notified on October 9 that the subcontractor’s corporate systems had been attacked with ransomware the day before.

HMS resolves system errors related to Medicare beneficiary entitlement and premium payment records for CMS under a contract with ASRC Federal Data Solutions, LLC, but does not handle Medicare claims information, according to the agency’s statement. 

The subcontractor also supports the collection of Medicare premiums from the direct-paying beneficiary population.

Initially, CMS was informed that Medicare beneficiary data was not involved, but by October 18, the agency said it was confident that some of its 64 million beneficiaries were involved in the data breach.

CMS is notifying the Medicare beneficiaries whose personally identifiable information (PII) or protected health information may have been put at risk as a result of the cyberattack incident that they will receive an updated Medicare card with a new Medicare Beneficiary Identifier and can enroll in free-of-charge credit monitoring services.

The affected Medicare beneficiaries will need to inform providers of their new Medicare numbers, CMS says in the sample letter included with the statement.

The data potentially compromised may have included names; addresses; dates of birth; phone numbers; Social Security numbers; Medicare beneficiary identifiers; banking information including routing and account numbers and Medicare entitlement, enrollment and premium Information.

While CMS reiterated that HMS acted in violation of its obligations, it did not go any further at this time in explaining how the company that provides Medicare Premium Exception Reconciliation, and a number of other healthcare quality assurance, regulatory compliance and operational to governments, was in violation.

“It’s no secret that [PHI] is the most valuable type of data on the black market. The [CMS] breach is notable because it shows how vulnerable the sector is to supply chain attacks,” according to Mike Walters, vice president of vulnerability and threat research and co-founder of Action1 Corporation, which provides cloud-native patch management software, and former co-founder of Frisco, Texas-based Netwrix.

“Even though most of these measures are a part of compliance regulations such as HIPAA that healthcare contractors need to adhere to, in reality, there is no way for healthcare providers to control how closely contractors follow these practices and enforce compliance if required,” he said in an email statement.


Third-party risks had cost the healthcare industry nearly $24 billion per year by 2019 and were largely attributed to the inability to automate risk assessments and remediation. However, the average breach costs in healthcare surpassed $10 million, according to the 2022 IBM X-Force Cost of a Data Breach Report.

Compounding record-high costs are the largely manual, time-intensive processes of third-party risk assessment for resource-limited healthcare IT teams.

Even when completed, the assessments are a “snapshot in time,” according to Kathy Hughes CISO of Northwell Health, earlier this month at the 2022 HIMSS Cybersecurity Forum.

“As we do hundreds of thousands of these assessments, that bleeds into hundreds of thousands of issues that we see and find, which means hundreds of thousands of different things you have to manage,” said Erik Decker, assistant vice president and CISO at Intermountain Healthcare, during the third-party risk management panel.

Hughes advised organizations that to move the needle on third-party cybersecurity, they must negotiate with vendors and get commitments to comply with its standards – and, put that in the contract language.


“The safeguarding and security of beneficiary information is of the utmost importance to this Agency,” said CMS Administrator Chiquita Brooks-LaSure. 

“We continue to assess the impact of the breach involving the subcontractor, facilitate support to individuals potentially affected by the incident and will take all necessary actions needed to safeguard the information entrusted to CMS,” she added.

Andrea Fox is senior editor of Healthcare IT News.
Email: [email protected]

Healthcare IT News is a HIMSS publication.

Source: Read Full Article