U.S. Rep. Cathy McMorris Rodgers (R-WA) wants more details about a ransomware attack on a subcontractor for the Centers for Medicare & Medicare Services (CMS) that impacted the personally identifiable information of some 254,000 Medicare beneficiaries.
The U.S. House Energy and Commerce Committee, which is chaired by Rep. McMorris Rodgers, and the U.S. House Oversight and Accountability Committee are investigating the Oct. 8, 2022 data breach on the corporate network of Healthcare Management Solutions LLC (HMS), a subcontractor to ASRC Federal Data Solutions LLC (ASRC), which supports the CMS Office of Hearings and Inquiries.
CMS found out about the data breach a day after it happened and determined on Oct. 18, 2002 that “some Medicare beneficiaries” had been impacted, according to a March 20 letter that the congresswoman and U.S. Rep. James Comer (R-KY) sent to CMS Administrator Chiquita Brooks-LaSure.
“However, it was not until Dec. 1, 2022 that CMS made the determination that the data breach constituted a “major incident,” as defined in the Federal Information Security Modernization Act of 2014,” wrote Rep. McMorris Rodgers and her colleague. “In other words, bad actors had access to Medicare beneficiaries’ information for two months before CMS determined this ransomware attack was a “major incident” triggering a legal obligation to inform Congress of such an incident.”
CMS provided a briefing to congressional staff on Dec. 15, 2022 about the incident, but Rep. McMorris Rodgers and Rep. Comer, who chairs the House Oversight and Accountability Committee, in their letter requested additional documents and communications to assist in the committees’ investigation.
The compromised information potentially includes personally identifiable information and protected health information of enrollees, including name, address, date of birth, phone number, Social Security Number, Medicare beneficiary identifier, banking information, and Medicare entitlement, enrollment, and premium information, according to the lawmakers’ letter.
They requested that Brooks-LaSure provide myriad documents and communications regarding any aspect of the ransomware attack, including any action proposed or taken by CMS, HMS, and ASRC as a result of the ransomware attack, to their committee offices by April 3.