The Centers for Medicare & Medicaid Services (CMS) has been busy issuing notices about breaches this week. First, it warned providers about a fraud scheme involving medical records requests. Now it is notifying Medicare beneficiaries whose information was involved in a data breach where threat actors were able to create online accounts using beneficiaries’ information that was acquired from unknown external sources:
The Centers for Medicare & Medicaid Services (CMS) is notifying Medicare beneficiaries whose personal information may have been involved in a data incident affecting Medicare.gov accounts. CMS identified suspicious activity related to unauthorized creation of certain beneficiary online accounts using personal information obtained from unknown external sources. CMS takes this situation very seriously. The safeguarding and security of personally identifiable information is of the utmost importance to CMS.
Following detection of the incident, CMS worked quickly to deactivate affected accounts, assess the scope and impact of the compromise, and mitigate the effects on impacted individuals. CMS is working closely with appropriate parties to investigate this situation.
Approximately 103,000 beneficiaries may have been impacted. Notifications to affected individuals are being mailed, informing them of the incident, outlining steps being taken to protect their information, and providing guidance on actions they may wish to take.
Below is a sample of a letter being sent to those potentially affected:
Dear ______________,
We’re writing to inform you of an incident involving your personal information related to your Medicare.gov account. To help make sure your privacy is protected, we will mail you a new Medicare card with a new Medicare Number in the coming weeks.
The incident involved currently unknown bad actors who accessed your data from an unknown source to fraudulently create Medicare.gov accounts.
We’re sending you this letter so you understand this incident, how we’re addressing it, and additional steps you can take to protect your privacy. Your current Medicare benefits or coverage aren’t affected by this incident.
What Happened?
On May 2, 2025, CMS’ 1-800-MEDICARE call center began receiving inquiries from beneficiaries who received letters confirming the creation of Medicare.gov accounts they did not initiate. CMS promptly launched an investigation and discovered that malicious actors had fraudulently created new accounts between 2023 and 2025 using valid beneficiary information, including Medicare Beneficiary Identifiers (MBI), coverage start date, last name, date of birth, and zip code.
Once these unauthorized accounts were established, bad actors may have accessed additional beneficiary data, including:
- Provider information
- Mailing address
- Dates of service
- Diagnosis codes
- Services received
- Plan premium details
CMS is not aware of any reports of identity fraud or misuse of the information as a direct result of this activity. Nevertheless, out of an abundance of caution, CMS is taking proactive steps to safeguard beneficiary information.
What Actions are Being Taken?
CMS immediately deactivated all fraudulently created Medicare.gov accounts.
CMS disabled the ability to create new Medicare.gov accounts from foreign IP addresses to prevent further exploitation.
CMS continues to monitor claims data for any suspicious activity and is replacing MBIs for affected individuals.
CMS is mailing new Medicare cards with new MBIs to beneficiaries as needed.
What Can Beneficiaries Do?Beneficiaries are encouraged to:
Review Medicare Summary Notices and Explanation of Benefits for any unfamiliar charges or services.
Report any suspicious activity to 1-800-MEDICARE (1-800-633-4227) or the Office of Inspector General at oig.hhs.gov/fraud/report-fraud/.
Obtain free annual credit reports through www.annualcreditreport.com or by calling 1-877-322-8228.
File reports with local law enforcement and/or the Federal Trade Commission by calling 1-877-IDTHEFT (1-877-438-4338) or online at www.ftc.gov/idtheft if any identity theft concerns arise.For additional information or questions, beneficiaries can directly contact 1-800-MEDICARE (1-800-633-4227).