CMS Ransomware Attack: Breach of PII

Sep 27, 2024 | Admin, Breaking News, CMS, Regulatory

by Kristin Rowan, Editor

CMS Ransomware Attack

In mid-2023, a planned file transfer went awry when Clop claimed to have breached hundreds of companies that they later listed on a data leak site. Among the companies listed were Shell, UnitedHealthcare Student Resources, The University of Georgia, and Putnam Investments. Also compromised were government entities including the U.S. Department of Energy. According to Clop, data from military sources, children’s hospitals, and other .gov sites was also copied. The ransomware group alleges they deleted all information from government, military, and children’s hospital sites.

Unfortunately, there is no way to confirm whether all that information was indeed deleted. Earlier this year, Change Healthcare suffered a similar widespread breach that caused massive payment delays for months. CMS provided guidance during those delays. 

Underreporting of Attack

Many of the companies impacted by this attack chose to disclose the breach rather than negotiate with the ransomware attackers to retrieve the stolen data. When Bleeping Computer reached out to those companies immediately following the attacks, a number of them indicated that only a small number of people were effected and that no financial or identifiable information had been stolen. It seems, now, though that not all companies involved in the attack were on the initial list.

Wisconsin Physicians Service (WPS) health insurance corporation was among the companies not listed when news of this attack was first published. WPS provides Medicare administrative services to CMS, including handling Medicare Part A/B claims. In the first week of September, nearly 3-1/2 months after the attack, CMS and WPS started notifying beneficiaries whose protected health information (PHI) or other personally identifiable information (PII) may have been stolen during the attack.

1,000,000 Notifications

On July 28, 2023, CMS estimated 612,000 Medicare beneficiaries may have had PHI and/or PII exposed in the breach. That number has increased to almost 1 million. CMS and WPS are sending notifications to more than 950,000 people whose information has been compromised. The letter explains further:

May 31, 2023, MOVEit disclosed the breach to the public and released a patch.

June 2, 2023, WPS notified CMS of a data breach that occurred sometime between May 27 and May 31, 2023.

According to WPS, they applied the patch but did not observe any evidence of any files having been copied.

July 28, 2023 CMS sends an initial letter to beneficiaries whose information may have been affected.

May 2024, WPS acted on new information that led them to discover copied files from before the patch was deployed.

Of the portion of breached files that WPS studied, none were found to have personal information.

June 8, 2024, a different portion of the files showed personal information was contained in those files. This information includes:

  • Name
  • Social Security Number or Individual Taxpayer Identification Number
  • Date of Birth
  • Mailing Address
  • Gender
  • Hospital Account Number
  • Dates of Service
  • Medicare Beneficiary Identifier (MBI) and/or Health Insurance Claim Number
CMS Clop Ransomware Attack

Note: in the initial letter sent to beneficiaries in July of 2023, CMS also listed Healthcare Provider, Prescription Information, Insurance Claims, Policy Information, Subscriber Information, Health Benefits, and Enrollment Information as possibly having been leaked. These items were removed from the list in the September 2024 version of the same letter.

For those who received this notification, CMS and WPS offered a complimentary year of credit monitoring from Experian. CMS also advised members to request their free credit report from each of the credit reporting companies.

The letter also informed members that they would soon receive a new Medicare card with a new Medicare Number. 946,801 people received this notice.

CMS Ransomware Attack Victims Not Notified

On September 24, 2024, Bleeping Computer reported that on the same day CMS sent more than 900,000 letters to members, they also reported to the Department of Health and Human Services that the total number of people with information stolen was 3,112,815. CMS explains the difference by saying the larger number includes Medicare beneficiaries, people who are deceased, and people who were covered by other providers but whose information was included in WPS data collection used for provider audits in their role as Medicare Administrative Contractors (MACs).

New MBIs and What it Means For You

According to a blog post dated September 26, 2024 from SimiTree, starting in mid-October, CMS will issue new Medicare cards with new Medicare Beneficiary Identifiers to the 946,801 Medicare beneficiaries who were previously identified as at risk and were notified of the breach. This may cause undue delays and other issues for home health and hospice providers.

Claim Rejection

If these beneficiaries use their existing MBI after the new one has been issued, providers could see rejections on NOAs, NOEs, OASIS submissions, and claims.

Urgent Reverification

Providers will need to reverify eligibility and update patient records in their EMR systems. Because providers were not notified of which beneficiaries were impacted, agencies will need to verify MBIs for every Medicare patient.

Possible Disruption

The full impact of reassigning MBIs to nearly 1 million Medicare beneficiaries is not yet known. Medicare has not clarified what will happen with claim processing for patients whose MBIs change during the claim processing for active patients. There are possibilities for delayed processing, delayed payments, and incorrect denial of services or payments due to the volume of MBIs changing at once.

How to Prepare

Our friends at SimiTree have some suggestions for how home health and hospice providers can prepare in advance for the MBI change coming around October 15-16, 2024.

  • Take Immediate Action – start reverifying eligibility for all Medicare patients now
  • Update Systems – ensure your EMR and other solutions in your tech stack are updated and ready to handle the changes
  • Train your Staff – make sure everyone on your team knows this change is coming and teach them new verification procedures so their patients aren’t left without care

CMS has not issued a statement about the impact of the MBI changes, but this story is ongoing and we will continue to monitor and report on any updates from WPS and CMS as well as look for additional information on the changes expected with the new MBIs.

# # #

Kristin Rowan, Editor
Kristin Rowan, Editor

Kristin Rowan has been working at Healthcare at Home: The Rowan Report since 2008. She has a master’s degree in business administration and marketing and runs Girard Marketing Group, a multi-faceted boutique marketing firm specializing in event planning, sales, and marketing strategy. She has recently taken on the role of Editor of The Rowan Report and will add her voice to current Home Care topics as well as marketing tips for home care agencies. Connect with Kristin directly kristin@girardmarketinggroup.com or www.girardmarketinggroup.com

©2024 by The Rowan Report, Peoria, AZ. All rights reserved. This article originally appeared in Healthcare at Home: The Rowan Report. One copy may be printed for personal use: further reproduction by permission only. editor@therowanreport.com