Initial information about a reported ransomware attack on the Healthcare Management Solutions provider indicates that the company acted “in violation of its obligations to CMS,” according to the agency, and the HMS-related incidents have the potential to affect 254,000 Medicare beneficiaries.
WHY IT IMPORTANT
CMS was notified on October 9 that the subcontractor’s corporate systems had been attacked with ransomware a day earlier.
HMS resolves system errors related to Medicare beneficiary benefits and premium payment records for CMS under contract with ASRC Federal Data Solutions, LLC, but does not process Medicare claim information , according to the agency’s statement.
Subcontractors also assist in collecting Medicare premiums from direct paying beneficiaries.
CMS was initially told that Medicare beneficiary data was not relevant, but as of October 18, the agency said it was confident that some of its 64 million beneficiaries were involved. data breach.
CMS is notifying Medicare beneficiaries whose personally identifiable information (PII) or protected health information may be at risk from a cyberattack that they will receive an updated Medicare card with Code identify a new Medicare Beneficiary and can sign up for a free- free credit monitoring service.
Affected Medicare beneficiaries will need to notify providers of their new Medicare number, CMS said in the sample letter accompanying the statement.
Potentially compromised data may include names; address; date of birth; phone number; Social Security number; Medicare beneficiary identification number; banking information including routing and account numbers; and Medicare benefits, enrollment, and premium information.
While CMS reiterates that HMS has acted in breach of its obligations, at this point CMS does not go further in explaining how it provides Medicare Premium Exception Conditioning and some How healthcare quality assurance, regulatory compliance, and operations for governments have violated .
“It’s no secret that [PHI] is the most valuable type of data on the black market. The [CMS] the breach is notable because it shows how vulnerable the sector is to supply chain attacks,” said Mike Walters, vice president of vulnerability and threat research and chief executive officer. co-founder of Action1 Corporation, a cloud-native patch management software company and former co-founder of Action1 Corporation, founder of Netwrix based in Frisco, Texas.
“While most of these measures are part of compliance regulations such as HIPAA that healthcare contractors need to comply with, in practice there is no way for care providers to health controls how closely contractors adhere to these practices and enforce compliance if required,” he said. said in an email statement.
TREND TO BIGGER
Third-party risks cost the healthcare industry nearly $24 billion a year in 2019, and that’s largely due to the inability to automate risk assessments and remediation. However, the cost of an average breach in healthcare exceeds $10 million, according to the IBM X-Force Data Breach Cost Report 2022.
Record-high cost aggregation is a largely manual, time-consuming third-party risk assessment process for resource-constrained healthcare IT teams.
According to Kathy Hughes, CISO of Northwell Health, earlier this month at the HIMSS 2022 Cybersecurity Forum, even when completed, the assessments are still a “snapshot”.
“When we do these hundreds of thousands of assessments, that leads to hundreds of thousands of issues that we see and detect, which means you have to,” said Erik Decker, assistant vice president and CISO at Intermountain. manage hundreds of thousands of different things. Healthcare, in a third-party risk management panel.
Hughes advises organizations that to promote third-party cybersecurity, they must negotiate with vendors and get commitments to comply with their standards – and put that into the language of the contract.
ON PROFILE
“The protection and confidentiality of beneficiary information is of utmost importance to this Agency,” said CMS Administrator Chiquita Brooks-LaSure.
“We continue to assess the impact of the breach involving subcontractors, facilitate support for individuals potentially impacted by the incident, and will take all necessary action to protect information.” information is delivered to CMS,” she added.
Andrea Fox is the senior editor of Healthcare IT News.
Email: [email protected]
Healthcare IT News is a publication of HIMSS.
