As an agency committed to transparency and security, we want to update you on recent news from the Centers for Medicare & Medicaid Services (CMS) about a data breach potentially impacting Medicare beneficiaries. Knowing the details about the 2023 CMS data breach will help you advise and reassure clients effectively.
Summary of the Incident
CMS recently announced a data security incident involving its contractor, Wisconsin Physicians Service Insurance Corporation (WPS). WPS, a third-party contractor supporting CMS in Medicare enrollments and claims processing, detected unauthorized access to its systems. During a routine security check, CMS was notified that WPS’s systems had experienced a breach that may have exposed the personal information of some Medicare beneficiaries.
Following the discovery, CMS and WPS acted quickly to contain the situation and secure affected systems. Both entities launched a comprehensive investigation to assess the scope of the breach and identify impacted individuals. WPS, working closely with CMS, is now coordinating the notification of affected parties and providing resources to help protect against potential misuse of the information involved.
Which Medicare Beneficiaries Are Affected?
CMS has reported that the recent data breach may have exposed personal information for approximately 946,801 Medicare beneficiaries connected to Wisconsin Physicians Service Insurance Corporation (WPS). While WPS’s name suggests ties to Wisconsin, its role as a CMS contractor involves processing Medicare claims for several states, including Indiana, Iowa, Kansas, Michigan, Missouri, and Nebraska.
Beneficiaries may be affected if they reside in these states or live elsewhere but receive care from providers within these regions. This means that even out-of-state beneficiaries could be impacted if their Medicare claims were processed by WPS in connection with providers from the above areas.
Every individual whose information may have been compromised will receive a direct notification from CMS. This letter will explain the incident, and impacted beneficiaries will receive a new Medicare Beneficiary Identifier (MBI) and Medicare card to further secure their data.
What Data Was Affected?
The data potentially accessed in this incident includes sensitive information associated with Medicare beneficiaries. Depending on the individual, the compromised data may include:
- Medicare Beneficiary Identifiers (MBI)
- Social Security Numbers (SSN)
- Full names and contact information, such as addresses
- Dates of birth
- Limited health information, specific to CMS program data processed by WPS
CMS and WPS are directly contacting individuals whose information may have been affected, offering guidance on protective measures, including credit monitoring options in cases where highly sensitive data was exposed.
CMS and WPS’s Response to Secure Data and Notify Individuals
CMS and WPS are taking proactive measures to manage the situation and provide support to those impacted. Their response includes:
- Notification of Affected Individuals: CMS and WPS are notifying individuals who may have been affected throughout October, detailing any potential risks, offering advice on protective actions, and processing MBI number reassignments.
- Strengthened Data Protection: CMS and WPS have further fortified their data systems in response to the incident, with assistance from cybersecurity experts, to prevent any future unauthorized access.
- Provision of Additional Resources: For added security, CMS and WPS may offer credit monitoring services and other support to beneficiaries whose personal information could be at risk.
Supporting Clients Affected by the CMS Data Breach
As Medicare insurance agents, your clients may be seeking guidance after the CMS data breach. Here are some ways you can support them:
- Check In and Guide Next Steps: Ask your clients if they’ve received any communication from CMS about the data breach, such as a letter or a new Medicare Beneficiary Identifier (MBI) and Medicare card. Remind clients that updated MBIs are necessary on enrollment applications to avoid delays. While some carriers, like Aetna, will receive updated MBIs from CMS directly (requiring no action from the beneficiary), it’s always wise for clients to double-check and be proactive in managing their coverage. Encourage them to stay involved, and let them know you’re available to help where needed. They must follow the steps outlined by CMS. Once clients receive their new card, they should:
- Follow the instructions in the accompanying letter
- Destroy their old Medicare card
- Inform their healthcare providers of their new Medicare number
- Promote Security and Monitoring Services: WPS is offering a complimentary 12-month credit monitoring service through Experian for affected individuals, which can provide some peace of mind. Additionally, under U.S. federal law, clients are entitled to one free annual credit report from each of the three major credit bureaus (Equifax, Experian, and TransUnion). Make sure your affected clients know about these resources and encourage them to monitor their accounts for any unusual activity.
- Reassure Clients and Encourage Caution: Emphasize CMS’s and WPS’s prompt response and their focus on notifying and securing the information of affected beneficiaries. Remind clients to be vigilant of any suspicious communications claiming to be from CMS, WPS, or other Medicare agencies, as CMS will not request sensitive information by phone or email.
Additional Resources for Agents and Clients
Unfortunately, data breaches are possible in our technology-driven society. However, it’s important to know that CMS and WPS are working together to remedy the situation and protect all Medicare clients, especially those who were impacted. For further information, agents and clients can visit the CMS website for official statements and ongoing updates.
…
If you have questions about this incident or require guidance in client conversations, our team at Carolina Senior Marketing is here to help! We’re here to support you in maintaining client trust and security. Give us a call at (919) 460-6073.
