CMS continues to investigate information breach of more than 90,000 consumers

By | November 14, 2018

The Centers for Medicaid and Medicaid Services is continuing to work with law enforcement to investigate a breach of discovered on October 16 that could have affected 93,689 consumers, an increase from the 75,000 originally estimated, CMS said Tuesday.

CMS has notified individuals whose personal information was exposed.


In a November 7 letter to those affected, CMS said it didn’t know whether any of the information was actually assessed or misused. However, because the breach involved sensitive information, including partial Social Security numbers, there could be a risk of identity theft, CMS said.

The incident involved personal information that was stored by the health insurance marketplace on, CMS said. Licensed insurance agents and brokers search for consumers who have an application stored there. But a number of agents and brokers engaged in “excessive searching,” CMS said.


The breach was discovered less than two weeks before open enrollment began on November 1.

Healthcare organizations are attractive and frequent targets for cyber attackers, such as the Anthem breach that exposed the protected health information of an estimated 79 million members.

Anthem paid $ 16 million in a record HIPAA settlement, to the Department of Health and Human Services, Office for Civil Rights.

WHAT ELSE YOU NEED TO KNOW applications include name, date of birth, address, sex and the last four digits of the person’s Social Security number.  Other information provided includes expected income, tax filing status, family relationships, an employer’s name and immigration documents, if applicable.

The information does not include bank account numbers, credit card numbers, diagnosis or treatment information, CMS said.

Read More:  Half of lymphoma patients alive three years after Gilead cell therapy treatment: study

CMS has reached out to all affected consumers by phone and has mailed notification letters to offer free credit protection. The agency is offering additional services such as identity monitoring, identity theft insurance and identity restoration services.

Since the breach, CMS has  been putting additional security measures in place to make sure and the marketplace processes are safe and all consumer information is protected.


“On October 16, 2018, we found that a number of agent and broker accounts engaged in excessive searching for consumers, and through those searches, had access to the personal information of people who are listed on marketplace applications,” CMS said in the letter. “We immediately shut off these agent and broker accounts, and also shut off the entire agent and broker function while changes were made to improve security.”

Twitter: @SusanJMorse
Email the writer:

News Feed