CMS Breach Sees Up to 75,000 Consumers Affected

The Centers for Medicaid & Medicare Services (CMS) has announced that it was recently the victim of a cyberattack that has resulted in approximately 75,000 consumer records being accessed by unauthorised individuals. 

On October 13 2018, staff at CMS, a federal agency within the United States Department of Health and Human Services, discovered hackers have gained access to a health insurance system that interacts with the HealthCare.gov website and have accessed files containing the sensitive information of approximately 75,000 individuals.

The CMS staff discovered the breach when they noticed anomalous activity in the Federally Facilitated Exchanges system and the Direct enrolment pathway used by agents and brokers to sign their customers up for health insurance coverage. An investigation was launched into the unusual behaviour, and three days later, the CMS confirmed there had been a data breach. Due to the scale of the breach, a public announcement about the cyberattack was made on Friday October 19, 2018.

According to CMS, the number of files stolen represents only a small fraction of the total number of consumer records stored in the system. The files contained information supplied by consumers when they apply for healthcare plans through agents and brokers, including names, telephone numbers, addresses, Social Security numbers, and income details.

The organisation released a statement saying “CMS followed standard and appropriate security and risk protocols for researching and reporting the incident. Upon verification of the breach, CMS took immediate steps to secure the system and consumer information, further investigate the incident, and subsequently notify Federal law enforcement. We are actively engaged in and committed to helping those potentially impacted as well as ensuring the protection of consumer information.”

Investigators for CMS have confirmed that the files have been accessed by unauthorized individuals. However, at the moment it has not been discerned whether the information was actually stolen by the cybercriminals and the data used for nefarious purposes. As such, those whose data was accessed may still be at risk of falling victim to identity fraud. 

In accordance with HIPAA’s Breach Notification Rules, CMS will be sending notification letters to all individuals whose personal information has been exposed. More information will be provided to the affected individuals on how to mitigate the risk that their data will be misused in the future. The CMS will release further information about the breach as and when it becomes available. Individuals who have been impacted by the breach will also be offered complementary resources such as credit protection services to further protect them from identity fraud. 

The investigation into the cyberattack is ongoing. The CMS is currently working on implementing new security controls to prevent further attacks. The Direct Enrolment system has been temporarily taken offline to allow the security updates to be applied. The CMS expects the system to be offline for about a week. It will be back online for the upcoming enrolment period that commences on November 1.

“Our number one priority is the safety and security of the Americans we serve. We will continue to work around the clock to help those potentially impacted and ensure the protection of consumer information,” said CMS Administrator Seema Verma.

The CMS notes that the attack only affected the system used by agents and brokers. There has not been a breach of the HealthCare.gov website which is used by consumers to personally sign up for health insurance coverage. “I want to make clear to the public that HealthCare.gov and the Marketplace Call Center are still available,” said Verma.

About Christine Garcia 1309 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at https://twitter.com/ChrisCalHIPAA