Initial information of a reported ransomware attack on vendor Healthcare Management Solutions indicates the company acted in “violation of its obligations to CMS,” according to the agency, and that the incident involving HMS has the potential to impact up to 254,000 Medicare beneficiaries.
WHY IT MATTERS
CMS was notified on October 9 that the subcontractor’s corporate systems had been attacked with ransomware the day before.
HMS resolves system errors related to Medicare beneficiary entitlement and premium payment records for CMS under a contract with ASRC Federal Data Solutions, LLC, but does not handle Medicare claims information, according to the agency’s statement.
The subcontractor also supports the collection of Medicare premiums from the direct-paying beneficiary population.
Initially, CMS was informed that Medicare beneficiary data was not involved, but by October 18, the agency said it was confident that some of its 64 million beneficiaries were involved in the data breach.
CMS is notifying the Medicare beneficiaries whose personally identifiable information (PII) or protected health information may have been put at risk as a result of the cyberattack incident that they will receive an updated Medicare card with a new Medicare Beneficiary Identifier and can enroll in free-of-charge credit monitoring services.
The affected Medicare beneficiaries will need to inform providers of their new Medicare numbers, CMS said in the sample letter included with the statement.
The data potentially compromised may have included names; addresses; dates of birth; phone numbers; Social Security numbers; Medicare beneficiary identifiers; banking information including routing and account numbers; and Medicare entitlement, enrollment and premium Information.
While CMS reiterated that HMS acted in violation of its obligations, it did not go any further at this time in explaining how the company that provides Medicare Premium Exception Reconciliation and a number of other healthcare quality assurance, regulatory compliance and operational to governments was in violation.
“It’s no secret that [PHI] is the most valuable type of data on the black market. The [CMS] breach is notable because it shows how vulnerable the sector is to supply chain attacks,” according to Mike Walters, vice president of vulnerability and threat research and co-founder of Action1 Corporation, which provides cloud-native patch management software, and former co-founder of Frisco, Texas-based Netwrix.
“Even though most of these measures are a part of compliance regulations such as HIPAA that healthcare contractors need to adhere to, in reality, there is no way for healthcare providers to control how closely contractors follow these practices and enforce compliance if required,” he said in an email statement.
HMS reached out to Healthcare IT News acknowledging unauthorized access to its network affecting “limited systems” and requesting to share the following statement:
“HMS acted swiftly to take the network offline in order to contain the incident. Industry-leading external cybersecurity experts were engaged to launch an investigation into the incident, which remains ongoing. Patient privacy has always been our top priority, and we have steadfastly maintained our obligation to patients and to any agency or contractor with which we have worked. We regret any concern this incident may have caused our community and will notify impacted individuals pursuant to legal and contractual obligations.”
THE LARGER TREND
Third-party risks had cost the healthcare industry nearly $24 billion per year by 2019 and were largely attributed to the inability to automate risk assessments and remediation. However, the cost of the average breach in healthcare surpassed $10 million, according to the 2022 IBM X-Force Cost of a Data Breach Report.
Compounding record-high costs are the largely manual, time-intensive processes of third-party risk assessment for resource-limited healthcare IT teams.
Even when completed, the assessments are a “snapshot in time,” according to Kathy Hughes, CISO of Northwell Health, earlier this month at the 2022 HIMSS Cybersecurity Forum.
“As we do hundreds of thousands of these assessments, that bleeds into hundreds of thousands of issues that we see and find, which means hundreds of thousands of different things you have to manage,” said Erik Decker, assistant vice president and CISO at Intermountain Healthcare, during the third-party risk management panel.
Hughes advised organizations that to move the needle on third-party cybersecurity, they must negotiate with vendors and get commitments to comply with its standards – and, put that in the contract language.
ON THE RECORD
“The safeguarding and security of beneficiary information is of the utmost importance to this Agency,” said CMS Administrator Chiquita Brooks-LaSure.
“We continue to assess the impact of the breach involving the subcontractor, facilitate support to individuals potentially affected by the incident and will take all necessary actions needed to safeguard the information entrusted to CMS,” she added.
This article was updated on December 20 to include a statement from HMS.
Andrea Fox is senior editor of Healthcare IT News.
Healthcare IT News is a HIMSS publication.