Effective Dates: 12/28/2022 - Present
Retention Date: June 28, 2023
|Intended Audience:||All RCs/ARCs/ADs/FOs/TSCs/PSCs/OCO/ODARHQ|
|Originating Office:||DCO OPSOS|
|Title:||Personally identifiable information (PII) breach of Centers for Medicare & Medicaid Services (CMS) contractor involving SSNs and MBIs - One Time Only|
|Type:||EM - Emergency Messages|
|Link To Reference:||See References at the end of this EM.|
On October 8, 2022, Healthcare Management Solutions (HMS), LLC, a Centers for Medicare & Medicaid Services (CMS) subcontractor, was subject to a ransomware attack on its corporate network. In addition to premium payments, HMS handles CMS data as part of processing Medicare eligibility and entitlement records. Initial information indicates that HMS acted in violation of its obligations to CMS, and CMS continues to investigate the incident. Currently, there is no evidence that this information has been used illegally.
B. Handling Inquiries about this PII release
Sample letter to potentially affected beneficiaries 122022.docx
RM 10220.060 - Assisting Identity Theft Victims, Section C. Responding to identity theft and data breach inquiries
CMS Responding to Data Breach at Subcontractor
If you receive a call related to the recent loss of PII, take the following steps.
1. Refer to the CMS New Release, CMS Responding to Data Breach at Subcontractor for information to provide the caller about the situation.
2. If the caller inquires about getting a new SSN because of this situation, inform them that a loss of data by an agency does not itself generate a need for a new SSN, consistent with guidance in RM 10220.060 - Assisting Identity Theft Victims, Section C. Responding to identity theft and data breach inquiries. Callers who have further questions or concerns about a new SSN may seek assistance from their local Field Office.
3. Tell the caller, as a precaution, since there were names, SSNs and other PII documents included in the information, he or she should continuously monitor his or her financial accounts for suspicious activity.
4. Inform the caller that he or she may obtain tips on how to guard against misuse of his or her personal information from the Federal Trade Commission's (FTC) website at http://www.ftc.gov/bcp/edu/microsites/idtheft/
5. In addition, offer to mail the factsheet, "Identity Theft And Your Social Security Number" (05-10064) or if the caller has access to the Internet tell him or her that the factsheet can be downloaded from SSA's website at https://www.ssa.gov/pubs/EN-05-10064.pdf.
6. Advise the caller to contact his or her financial institution and credit providers if he or she detects a problem with any of his or her accounts.
Direct all program-related and technical questions to your Regional Office (RO) support staff or Processing Center (PC) Operations Analysis (OA) staff. RO support staff or PC OA staff may refer questions or problems to their Central Office contacts.
EM 22064 - Personally identifiable information (PII) breach of Centers for Medicare & Medicaid Services (CMS) contractor involving SSNs and MBIs - One Time Only - 12/28/2022