The Centers for Medicare and Medicaid Services is notifying Medicare beneficiaries whose personal information may have been involved in a data incident affecting Medicare.gov accounts.
CMS said it identified suspicious activity related to the unauthorized creation of some online beneficiary accounts using personal information obtained from unknown external sources.
After the incident was detected, CMS worked to deactivate the affected accounts to mitigate the effects on patients, and to assess the scope and impact of the data breach.
About 103,000 beneficiaries may have been impacted, CMS said, and are being notified via mail.
WHAT'S THE IMPACT
On May 2, CMS' 1-800-MEDICARE call center began receiving inquiries from beneficiaries who received letters confirming the creation of Medicare.gov accounts they didn't initiate.
An investigation conducted by CMS discovered that malicious actors had fraudulently created new accounts between 2023 and 2025 using valid beneficiary information, including Medicare Beneficiary Identifiers (MBI), coverage start date, last name, date of birth and zip code.
Once these unauthorized accounts were established, the bad actors may have accessed additional beneficiary data, including provider information, mailing address, dates of service, diagnosis codes, services received and plan premium details.
CMS said it's not aware of any fraud or misuse of the information to date. But out of caution, the agency deactivated the fraudulently created accounts and disabled the ability to create new Medicare.gov accounts from foreign IP addresses.
CMS is also monitoring claims data for suspicious activity, replacing Medicare Beneficiary Identifiers for those affected, and is mailing new Medicare cards with new MBIs to beneficiaries as needed.
THE LARGER TREND
Beneficiaries were also encouraged to take action.
According to CMS, they should review Medicare Summary Notices and Explanation of Benefits for any unfamiliar charges or services, and report any suspicious activity to 1-800-MEDICARE (1-800-633-4227) or the Office of Inspector General at oig.hhs.gov/fraud/report-fraud/.
CMS said beneficiaries can also obtain free annual credit reports through www.annualcreditreport.com or by calling 1-877-322-8228, and can file reports with local law enforcement and/or the Federal Trade Commission by calling 1-877-IDTHEFT (1-877-438-4338) or online at www.ftc.gov/idtheft if any identity theft concerns arise.
Jeff Lagasse is editor of Healthcare Finance News.
Email: jlagasse@himss.org
Healthcare Finance News is a HIMSS Media publication.