The U.S. Department of Health and Human Services is notifying about 250,000 Medicare beneficiaries that their data was compromised. (Photo credit: Library of Congress).

The Department of Health and Human Services Centers for Medicare and Medicaid Services is currently notifying 254,000 out of its 64 million Medicare beneficiaries that their data was compromised after a ransomware attack on one of its third-party vendors.

The investigation is ongoing, but the initial information suggests that Healthcare Management Solutions, a subcontractor of ASRC Federal Data Solutions, “acted in violation of its obligations to CMS.” The notice does not provide further details into what those actions may have been.

The incident spotlights the ongoing challenges facing the healthcare sector with vendor management, as the majority of largest reported incidents this year have been tied to business partners.

On the whole, the sector relies on a massive amount of third-party vendors and business associates to maintain daily operations. But each additional contract further expands the threat landscape, which has been compounded in recent years by the uptick in outsourced services and the spate of critical infrastructure attacks.

The CMS incident should serve as a warning for provider organizations that these types of breaches can affect anyone in healthcare.

The new notice does not detail the specific threat behind the breach, just that the subcontractor notified CMS on Oct.9 that a cybersecurity incident hit its systems. About a week later, CMS confirmed “with high confidence” that protected health information and personally identifiable information for some Medicare enrollees was affected by the incident.

In response, CMS worked with the contractor to determine just what information was involved and confirmed no CMS systems were breached, nor any Medicare claims data.

Under its contract with ASRC, the vendor provides CMS with services for resolving system errors tied to Medicare beneficiary entitlement and premium payment records and support the collection of Medicare premiums from the direct-paying beneficiary population.

As such, the compromised data could include names, dates of birth, Social Security numbers, contact details, Medicare beneficiary identifiers, banking information, Medicare entitlement information, enrollment, and premiums. All impacted patients will receive an updated Medicare card with a new beneficiary identifier and free credit monitoring services.

CMS is continuing to assess the impact of the incident, while supporting the impacted individuals. CMS Administrator Chiquita Brooks-LaSure explained in a statement that they’ll “take all necessary actions needed to safeguard the information entrusted to CMS.”