The nation’s largest insurer has launched an investigation after staff “detected anomalous activity.”
Some form of data breach has hit the U.S. Centers for Medicare & Medicaid Services, exposing the information of roughly 75,000 people and prompting an investigation, according to the agency.
The breach affected the Federally Facilitated Exchanges’ (FFE) Direct Enrollment pathway, which enables agents and brokers to help “consumers with applications for coverage in the FFE,” according to a CMS release that was sent to journalists at 5:22 p.m. Friday.
Reached by phone, a CMS official who only gave his first name, Jeremy, declined to provide details on which patient populations are affected and what kind of personal information was compromised. He directed all questions to CMS’s press email box, and we will update when more information becomes available.
>> READ: Yes, Healthcare’s Data Breach Problem Really Is That Bad
“I want to make clear to the public that HealthCare.gov and the Marketplace Call Center are still available, and open enrollment will not be negatively impacted,” CMS Administrator Seema Verma, MPH, said in a statement. “We are working to identify the individuals potentially impacted as quickly as possible so that we can notify them and provide resources such as credit protection.”
CMS staff “detected anomalous activity” on Oct. 13 and declared it a breach on Oct. 16. Officials “took immediate steps to secure the system and consumer information,” according to the press release. The agency began investigating the incident and notified federal law enforcement agents.
CMS deactivated the agent and broker accounts connected to the irregular activity and disabled the Direct Enrollment pathway.
“We are working to address the issue, implement additional security measures and restore the Direct Enrollment pathway for agents and brokers within the next 7 days,” CMS said in its announcement.
In the release and through its spokesperson, CMS said the investigation into the data breach is in the early stages. The agency plans to provide more details going forward.
It’s unclear whose information was compromised or by whom. The scope of breached data — whether it be names, addresses, medical histories or anything else — also remains in question.
The CMS breach, however, has not yet appeared on the Office for Civil Rights data breach page. If it does end up in that database, the CMS breach would be the largest reported so far in October.
“Our number one priority is the safety and security of the Americans we serve,” Verma said in the release. “We will continue to work around the clock to help those potentially impacted and ensure the protection of consumer information.”
Get the best insights in healthcare analytics directly to your inbox.
Can Outside Disruption Save Healthcare?
WannaCry, NotPetya and Cyberwarfare’s Threat to Healthcare
With 860K Affected Patients, July Among Worst Data Breach Months of Year