A Medicare and Medicaid Breach Now Hits Over 100,000 Americans

July 3, 2025

Comments Off

July 3, 2025 – A significant data breach at the U.S. Centers for Medicare & Medicaid Services (CMS) has compromised the personal information of approximately 103,000 Medicare beneficiaries, leading to the creation of fraudulent accounts on Medicare.gov.

The breach, which involved the unauthorized use of sensitive data obtained from unknown external sources, has raised concerns about the security of personally identifiable information (PII) within the healthcare system.

On May 2, 2025, CMS’s 1-800-MEDICARE call center began receiving inquiries from beneficiaries who had received letters confirming the creation of Medicare.gov accounts they did not initiate.

Following these reports, CMS launched an investigation, uncovering that malicious actors had fraudulently created accounts between 2023 and 2025 using valid beneficiary information, including Medicare Beneficiary Identifiers (MBI), coverage start dates, last names, dates of birth, and ZIP codes.

Once these unauthorized accounts were established, fraudsters may have accessed additional sensitive information, such as provider details, mailing addresses, dates of service, diagnosis codes, services received, and plan premium details.

CMS has stated that it is not aware of any direct instances of identity fraud or misuse resulting from this incident. However, out of caution, the agency is taking proactive measures to protect affected beneficiaries.

CMS Response and Mitigation Efforts

Upon detecting the suspicious activity, CMS promptly deactivated all fraudulently created Medicare.gov accounts to prevent further unauthorized access.

The agency is now mailing notifications to the approximately 103,000 affected beneficiaries, outlining the incident, the steps being taken to safeguard their information, and guidance on protective actions they can take.

Beneficiaries whose MBIs were compromised will receive new Medicare cards with updated identifiers to prevent potential misuse.

CMS emphasized the importance of safeguarding PII, stating, “The safeguarding and security of personally identifiable information is of the utmost importance to CMS.”

The agency is collaborating with law enforcement and cybersecurity experts to investigate the breach and determine the source of the compromised data, which CMS believes was obtained from external sources rather than a direct breach of its IT systems.

For affected individuals or those concerned about their accounts, CMS recommends contacting 1-800-MEDICARE (1-800-633-4227) for assistance.

The agency also advises beneficiaries to monitor their Medicare accounts and credit reports for suspicious activity and to enroll in free credit monitoring services if offered.

This incident is part of a broader trend of increasing data breaches in the healthcare sector, which is frequently targeted due to the high value of medical records on the dark web.

According to Experian, medical records are among the most sought-after data types by cybercriminals, often fetching high prices due to their detailed personal and financial information.

In 2024 alone, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) reported 725 large healthcare data breaches, affecting over 275 million individuals—82% of the U.S. population.

While this CMS breach is smaller in scale compared to incidents like the 2023 MOVEit breach, which impacted over 3 million Medicare beneficiaries via a contractor, it underscores ongoing vulnerabilities in healthcare data security.

Experts warn that phishing attacks and unauthorized access to third-party systems remain common vectors for such breaches.

CMS itself recently issued an alert about a separate fraud scheme involving scammers impersonating Medicare officials in phishing faxes, highlighting the persistent threat of social engineering in healthcare fraud.

Broader Implications and Recommendations

The CMS breach highlights the growing sophistication of cybercriminals targeting government healthcare programs.

Roy Zur, CEO of Charm Security, noted that confusion and fear surrounding changes in healthcare policy, such as potential shifts in Medicaid coverage, create opportunities for psychological manipulation by fraudsters.

“The combination of confusion, fear, and millions of people scrambling for coverage creates the perfect storm for psychological manipulation,” Zur said.

To protect against future incidents, experts recommend that healthcare organizations conduct regular cybersecurity audits, enhance incident response plans, and ensure compliance with HIPAA regulations.

Beneficiaries are advised to: