PolicyNet/Instructions Updates/EM 22064: Personally identifiable information (PII) breach of Centers for Medicare & Medicaid Services (CMS) contractor involving SSNs and MBIs

Effective Dates: 12/28/2022 - Present

Identification Number:	EM 22064
Intended Audience:	All RCs/ARCs/ADs/FOs/TSCs/PSCs/OCO/ODARHQ
Originating Office:	DCO OPSOS
Title:	Personally identifiable information (PII) breach of Centers for Medicare & Medicaid Services (CMS) contractor involving SSNs and MBIs - One Time Only
Type:	EM - Emergency Messages
Program:	All Programs
Link To Reference:	See References at the end of this EM.

Retention Date: June 28, 2023

A. Background

On October 8, 2022, Healthcare Management Solutions (HMS), LLC, a Centers for Medicare & Medicaid Services (CMS) subcontractor, was subject to a ransomware attack on its corporate network. In addition to premium payments, HMS handles CMS data as part of processing Medicare eligibility and entitlement records. Initial information indicates that HMS acted in violation of its obligations to CMS, and CMS continues to investigate the incident. Currently, there is no evidence that this information has been used illegally.

B. Handling Inquiries about this PII release

If you receive a call related to the recent loss of PII, take the following steps.

1. Refer to the CMS New Release,

CMS Responding to Data Breach at Subcontractor

for information to provide the caller about the situation.

2. If the caller inquires about getting a new SSN because of this situation, inform them that a loss of data by an agency does not itself generate a need for a new SSN, consistent with guidance in RM 10220.060 - Assisting Identity Theft Victims, Section C. Responding to identity theft and data breach inquiries. Callers who have further questions or concerns about a new SSN may seek assistance from their local Field Office.

3. Tell the caller, as a precaution, since there were names, SSNs and other PII documents included in the information, he or she should continuously monitor his or her financial accounts for suspicious activity.

4. Inform the caller that he or she may obtain tips on how to guard against misuse of his or her personal information from the Federal Trade Commission's (FTC) website at

http://www.ftc.gov/bcp/edu/microsites/idtheft/

5. In addition, offer to mail the factsheet, "Identity Theft And Your Social Security Number" (05-10064) or if the caller has access to the Internet tell him or her that the factsheet can be downloaded from SSA's website at

https://www.ssa.gov/pubs/EN-05-10064.pdf

6. Advise the caller to contact his or her financial institution and credit providers if he or she detects a problem with any of his or her accounts.

Direct all program-related and technical questions to your Regional Office (RO) support staff or Processing Center (PC) Operations Analysis (OA) staff. RO support staff or PC OA staff may refer questions or problems to their Central Office contacts.

Sample letter to potentially affected beneficiaries 122022.docx

References:
RM 10220.060 - Assisting Identity Theft Victims, Section C. Responding to identity theft and data breach inquiries
CMS Responding to Data Breach at Subcontractor
http://www.ftc.gov/bcp/edu/microsites/idtheft/
https://www.ssa.gov/pubs/EN-05-10064.pdf

EM 22064 - Personally identifiable information (PII) breach of Centers for Medicare & Medicaid Services (CMS) contractor involving SSNs and MBIs - One Time Only - 12/28/2022

Emergency Message