Health Care Management Solutions, LLC

Your Personal Info Could Be

Exposed Online After

This Hospital Breach

Breach Description

Health Care Management Solutions, LLC (HMS), a West Virginia-based healthcare consulting company, suffered a significant data breach that affected at least 500,000 individuals[1]. The breach was the result of a ransomware attack on the company’s corporate network on October 8, 2022[3]. HMS is a subcontractor of ASRC Federal Data Solutions, LLC, and handles data related to Medicare eligibility, entitlement records, and premium payments for the Centers for Medicare & Medicaid Services (CMS)[2][3].

The compromised information may include names, addresses, phone numbers, email addresses, healthcare information, insurance information, medical diagnoses, medical procedure history, payment information, Social Security numbers, Medicare Beneficiary Identifiers, and banking details[1][2]. This sensitive data could potentially be used by cybercriminals for identity theft or sold on the Dark Web[1].

CMS has responded to the incident by notifying potentially affected Medicare beneficiaries and offering free credit monitoring services[2]. They have also begun the process of issuing new Medicare cards with new numbers to impacted individuals[11]. The CMS systems themselves were not breached, and no Medicare claims data were involved[2].

The breach was reported to the Department of Health and Human Services’ Office for Civil Rights, as required by law when patient information is at risk[1]. HMS has taken steps to contain the incident and has engaged external cybersecurity experts to investigate[3]. The company has also begun contacting individuals whose information may have been impacted[4].

The investigation into the ransomware attack is ongoing, and HMS has expressed regret for any concern the incident may have caused[3][11]. The CMS continues to assess the impact of the breach and is working to support individuals potentially affected by the incident[3].

This breach is part of a larger trend of increased cyberattacks on healthcare entities and their business associates, highlighting the importance of robust cybersecurity measures and the management of third-party risk[5].

Citations:

  1. https://www.idstrong.com/sentinel/healthcare-management-solutions-data-breach/
  2. https://www.cms.gov/newsroom/press-releases/cms-responding-data-breach-subcontractor
  3. https://www.defensorum.com/around-254000-medicare-beneficiaries-impacted-by-cms-subcontractor-ransomware-attack/
  4. https://www.turkestrauss.com/2022/12/20/healthcare-management-solutions-data-breach-investigation/
  5. https://www.hipaajournal.com/2022-healthcare-data-breach-report/
  6. https://www.idstrong.com/sentinel/advanced-medical-management-data-breach/
  7. https://www.thelyonfirm.com/blog/healthcare-management-solutions-data-breach-investigation/
  8. https://www.hipaajournal.com/up-to-254000-medicare-beneficiaries-affected-by-ransomware-attack-on-cms-subcontractor/
  9. https://oversight.house.gov/release/comer-rodgers-press-for-information-on-data-breach-of-thousands-of-medicare-beneficiaries-personally-identifiable-information%EF%BF%BC/
  10. https://stacker.com/west-virginia/biggest-health-care-data-breaches-you-should-know-about-west-virginia
  11. https://healthitsecurity.com/news/cms-responds-to-third-party-data-breach-impacting-254k-medicare-beneficiaries
  12. https://www.hipaajournal.com/november-2022-healthcare-data-breach-report/
Breach Submission Date Nov 14, 2022
Converted Entity Name Health Care Management Solutions, LLC
Converted Entity Type Business Associate
State WV
Individuals Affected 500,000
Breach Type Hacking/IT Incident

Breach Information Location Network Server

Business Associate Present Yes