HQ/EMEAFind out how we can help your business
The Department of Health and Human Services (HHS) in the US recently reported to its roughly 254,000 Centers for Medicare & Medicaid Services (CMS) Medicare Program beneficiaries about suffering from a cyberattack on a third-party vendor, leading to data compromise.
The third-party vendor in question was Healthcare Management Solutions (HMS), ASRC Federal Data Solutions’ subcontractor, which investigations reveal had violated its obligations to CMS. No additional details were disclosed about the said violations.
The HHS Medicare incident further highlights the persistent issues faced by the healthcare sector regarding vendor management.
According to researchers, most of the largest cyberattack incidents reported for 2022 are linked to vendors partnered up by healthcare institutions for their daily operations. The sector’s need to establish partnerships with third-party vendors is critical, although tied to consequences of expanding risks against cyberattacks.
Separate reports from security researchers have listed the top three healthcare-related security incidents this year, including Eye Care Leaders affecting about 3.6 million patients; Advocate Aurora Health, affecting 3 million patients; and Connexin Software affecting 2.2 million patients.
Thus, such security incidents, including in HHS Medicare, must be deliberated for healthcare institutions to reassess their third-party vendor partnerships and ensure they are well-secured against cyber threats.
A week after the third-party vendor (HMS) notified CMS about the ransomware attack, it immediately advised all relevant and affected entities about the incident, stating that protected health information and PIIs had been confirmed affected. Nonetheless, the institution said no CMS systems and Medicare claims data were breached.
While the affected institution has yet to share which exact data were compromised, researchers presume that it could include full names, birthdates, Social Security numbers, banking information, contact information, Medicare beneficiary identifiers, entitlement, enrollment, and premium information.
Patients impacted by the HHS Medicare security incident will be given an updated Medicare card with a new beneficiary identifier for additional security, alongside free credit monitoring services.
Finally, CMS assured its patients that they have been assessing the incident’s scope and impact and will provide continuous support to all affected individuals.
