Healthcare Management Solutions (HMS), a subcontractor of The Centers for Medicare & Medicaid Services (CMS), was subject to a ransomware attack on October 8. On December 14, CMS released a response to the breach, which affects up to 254,000 Medicare beneficiaries. The federal agency sent a letter informing those beneficiaries, and it is issuing them new Medicare cards.
CMS systems were not breached in this incident, but Medicare beneficiaries’ personally identifiable information (PII) and protected health information (PHI) were still compromised. Organizations must think about more than their own systems when evaluating the potential attack surface.
“As medical providers such as CMS have grown, they have outsourced more and more functionality to subcontractors, often sharing this sensitive information with them. These companies will have smaller budgets and typically fewer security controls, making them much easier targets for attackers looking for sensitive information,” Fred Kneip, CEO, third-party cyber risk management company CyberGRX, tells InformationWeek.
HMS has access to CMS data related to processing Medicare eligibility, entitlement records and premium…
