On September 6, 2024, the Centers for Medicare & Medicaid Services (CMS) announced a data breach affecting individuals’ protected health information (PHI) and personally identifiable information (PII). This breach involved a contractor responsible for Medicare Part A/B claims and related services. The compromise was linked to a security vulnerability in third-party software used by the contractor for transferring files in connection with CMS services.
The vulnerability, which existed between May 27 and May 31, 2023, was discovered and disclosed by the software developer on May 31, 2023. A patch was promptly released to address the issue. The contractor applied this patch and initially found no evidence of unauthorized access to files during its investigation in 2023.
However, in May 2024, with new information, the contractor conducted a more thorough review with a third-party cybersecurity firm. This review confirmed that while the patch effectively prevented further unauthorized access after June 2023, unauthorized third parties had copied files from the contractor’s system before the patch was applied. An assessment of the affected files revealed that, although some files did not contain any PII, others did.
On July 8, 2024, the contractor informed CMS that the compromised files included personal information. CMS and the contractor began notifying the 946,801 current Medicare beneficiaries whose information may have been exposed. Written notifications are being sent to those individuals, detailing the breach and the steps being taken in response. For individuals with outdated or insufficient contact information, CMS posted a substitute notice with similar details.
Compliance Perspective
Issue
Covered entities are required to notify affected individuals following the discovery of a breach of unsecured PHI. Notification must be made in written form via first-class mail, or by email if the affected individual has consented to electronic notices. If contact information is insufficient or outdated for 10 or more individuals, substitute notice must be provided either by posting on the entity’s website for at least 90 days or by using major print or broadcast media where the affected individuals are likely to see it. The notice must include a toll-free phone number that remains active for at least 90 days for individuals to learn if their information was involved in the breach. For fewer than 10 individuals with outdated or insufficient contact information, substitute notice can be made through alternative written forms, telephone, or other means. Notifications must be issued without unreasonable delay and no later than 60 days following the breach discovery. The notice must include: a brief description of the breach, details on the types of information involved, steps individuals should take to protect themselves, a description of the actions being taken to address and mitigate the breach, and contact information for the covered entity or business associate.
Discussion Points
- Review policies and procedures related to HIPAA and PHI. Ensure they include comprehensive data security and breach-notification practices. Regularly update these policies to reflect new threats and regulatory changes.
- Provide regular training for appropriate staff on HIPAA, PHI, and data security. This should include guidance on avoiding phishing schemes, malware exposure, unauthorized PHI release, and detecting and reporting malicious software. Provide additional training at least annually and when new threats and security information become known. Document that these trainings occurred, and file the signed training document in each employee’s education file.
- Conduct regular audits to ensure that security practices are being properly implemented and adhered to. These audits should verify compliance with recognized data integrity security measures and assess whether the facility’s HIPAA and PHI policies and procedures are being followed. Use audit results to identify areas for improvement and to make necessary adjustments to policies and practices.
*This news alert has been prepared by Med-Net Concepts, LLC for informational purposes only and is not intended to provide legal advice.*
