CMS sought to explain delayed subcontractor breach notification

FedScoop reports that the Centers for Medicare and Medicaid Services has been urged by House Committee on Oversight and Accountability Chairman Rep. James Comer, R-Ky., and House Committee on Energy and Commerce Chair Rep. Cathy McNorris, R-Wash., to provide more details behind the nearly two-month delay in its disclosure of a ransomware attack-related data breach at its subcontractor Healthcare Management Solutions, which compromised 254,000 Medicare beneficiaries. While CMS noted that Medicare enrollee data may have been exposed in the breach on Oct. 18, it only alerted Congress about the incident on Dec. 1 and waited until mid-December to detail that beneficiaries had their names, birthdates, addresses, phone numbers, Social Security numbers, and Medicare Beneficiary Identifiers, as well as sensitive banking details compromised as a result of the attack, said the lawmakers in a letter to CMS Administrator Chiquita Brooks-LaSure. Congress should be given CMS' communications regarding the ransomware attack and breach notification to its committees by April 3, the lawmakers added.