CMS Announces Subcontractor Data Breach

21 Dec, 2022 F.J. Thomas


Sarasota, FL ( – Earlier this month, Centers for Medicare & Medicaid Services (CMS) that regulates and manages the federal Medicare program, issued a press release that one of their subcontractors had been involved in a data breach in which 254,000 beneficiaries may be impacted. 

According to the announcement, a subcontractor for ASRC Federal Data Solutions, LLC (ASRC Federal) is the source of the breach. The ASRC subcontractor, Healthcare Management Solutions, LLC (HMS) who handles CMS beneficiary data for eligibility and premium payment processing, was hit by a ransomware attack in early October. CMS contends that while no federal systems were breached and no claims data accessed, that there is the potential that patients personally identifiable information could have been accessed in HMS’s system in the breach. As of December 20th, neither ASRC nor HMS has issued a formal news release on its website about the attack. According to the HHS Data Breach website, the breach submission date was not until November 14th. 

According to the CMS press release, their investigation suggests that HMS acted in violation of their obligation to CMS but the investigation is still ongoing. HMS was hit by a ransomware attack on its corporate network on October 8th and notified CMS on October 9th of the issue. On October 18th, CMS investigators determined with “high confidence” that patient information for at least some of the records had been accessed. CMS has begun mailing out letters to those patients impacted. 

According to the data on the HHS Data Breach website, there have been 597 data breaches reported through December 20th, compared to 277 for all of 2021. The total represents a 115.52 percent increase in the number of data breaches reported so far in 2022.

In 2021, 20 percent - a total of 56 data breaches- involved a hacking event of a third party vendor. For 2022, that percentage has increased to 27 percent with 166 breaches resulting from a hacking event involving a third party vendor. The number of breaches at third party vendors due to unauthorized access or disclosure has increased as well for 2022. The number of unauthorized access breaches by vendors totaled 12 in 2021, but for 2022 that total tripled to 36 reports. 

The number of data breaches not involving vendor activity has increased as well. In 2021, 165 breaches occurred on healthcare systems directly. For 2022, that total increased to 313 with 10 more reporting days to go.  





  • arizona california case management case management focus claims cms compensability compliance conferences courts covid do you know the rule exclusive remedy florida FMLA fraud glossary check health care Healthcare iowa leadership medical medicare minnesota NCCI new jersey new york ohio opioids osha pennsylvania Safety state info texas violence virginia WDYT west virginia what do you think women's history month workers' comp 101 workers' recovery workers' compensation contact information Workplace Safety Workplace Violence

  • Read Also

    About The Author

    • F.J. Thomas

      F.J. Thomas has worked in healthcare business for more than fifteen years in Tennessee. Her experience as a contract appeals analyst has given her an intimate grasp of the inner workings of both the provider and insurance world. Knowing first hand that the industry is constantly changing, she strives to find resources and information you can use.

    Read More

    Request a Demo

    To request a free demo of one of our products, please fill in this form. Our sales team will get back to you shortly.