GOP lawmakers want additional details on CMS subcontractor breach timeline

They seek information about why it took two months to notify Congress about the incident, which exposed the data of 254,000 Medicare beneficiaries.

Republican lawmakers are seeking additional details from the Centers for Medicare and Medicaid Services about the length of time it took the agency to notify Congress about a subcontractor breach that exposed the information of 254,000 Medicare beneficiaries.

In a missive sent Monday, senior lawmakers requested documentation including agency communications about the ransomware attack and communications related to notifying congressional committees of the breach.

The Centers for Medicare and Medicaid Services concluded on Oct. 18 that the incident had potentially resulted in the compromise of Medicare enrollee data. However, details of the cyberattack, which hit subcontractor Healthcare Management Solutions, were not made public until mid-December.

According to lawmakers, Congress was not notified about the incident until Dec. 1.


Under the Federal Information Security Modernization Act of 2014, federal government agencies are required to notify Congress about major cybersecurity incidents within seven days of discovery.

Details of Medicare beneficiaries that were exposed during the incident included names, addresses, dates of birth, phone numbers, social security numbers and Medicare Beneficiary Identifiers.

In addition, CMS determined that the breach may have exposed sensitive banking information including routing and account numbers. Medicare entitlement, enrollment and premium information were also potentially compromised.

In the letter, which was addressed to CMS Administrator Chiquita Brooks-LaSure, the lawmakers said: “After becoming aware of a major data breach and potential exposure of Medicare beneficiaries’ personal information, it took CMS two months to determine that the data breach constituted a “major incident” as defined in the Federal Information Security Modernization Act (FISMA).”

“To assist our investigation the into this major incident and the response by CMS, please provide the following documents and communications … no later than April 3, 2023,” lawmakers added in the missive.


As with the Office of Personnel Management cybersecurity breach that occurred in 2015, affected beneficiaries have been advised to contact their financial institutions and to enroll in credit monitoring services that will be provided by the federal government agency free of charge.

The letter was signed by House Committee on Oversight and Accountability Chairman Rep. James Comer, R-Ky., and House Committee on Energy and Commerce Chair Rep. Cathy McMorris Rodgers, R-Wash. 

Latest Podcasts