Washington, D.C. — House Committee on Energy and Commerce Chair Cathy McMorris Rodgers (R-WA) and House Committee on Oversight and Accountability Chairman James Comer (R-KY) today wrote to Centers for Medicare & Medicare Services (CMS) Administrator Chiquita Brooks-LaSure, requesting documents and communications to assist in investigating CMS’s response to a data breach impacting personally identifiable information of approximately 254,000 Medicare beneficiaries.
“On October 8, 2022, [Healthcare Management Solutions, LLC (HMS)] ‘was subject to a ransomware attack on its corporate network.’ CMS was notified about the data breach a day later, and on October 18, 2022, CMS ‘determined with high confidence that the incident potentially included personally identifiable information and protected health information for some Medicare enrollees.’ However, it was not until December 1, 2022, that CMS made the determination that the data breach constituted a ‘major incident,’ as defined in the Federal Information Security Modernization Act of 2014,” wrote Rodgers and Comer.
After becoming aware of a major data breach and potential exposure of Medicare beneficiaries’ personal information, it took CMS two months to determine that the data breach constituted a “major incident” as defined in the Federal Information Security Modernization Act.
“In other words, bad actors had access to Medicare beneficiaries’ information for two months before CMS determined this ransomware attack was a ‘major incident,’ triggering a legal obligation to inform Congress of such incident. [...] The compromised information potentially includes the following personally identifiable information (PII) and protected health information (PHI): name, address, date of birth, phone number, Social Security Number, Medicare beneficiary identifier, banking information, including routing and account numbers, and Medicare entitlement, enrollment, and premium information,” continued Chairs Rodgers and Comer.
CLICK HERE to read the letter to Administrator Brooks-LaSure.