Since 2011, we've helped more than 5 million visitors understand Medicare coverage.

Learn about Medicare plans.*

Explore plans from a licensed agency!

Was your Medicare data affected by a data breach?

How to know if your personal information was compromised – and what to expect next.

Louise Norris | January 10, 2024

Data breaches of Medicare enrollees’ data have been in the news recently, in the wake of a significant hack of a file transfer platform that impacted the data of millions of people, including hundreds of thousands of Medicare beneficiaries (initially about 612,000 beneficiaries, with another 330,000 identified a few months later). Another incident in late 2022 resulted in affected data for about 254,000 Medicare beneficiaries.

But data breaches aren’t always that widespread – and they can be the result of a simple error rather than a malicious hack/ransomware incident. Regardless of the cause, it’s disconcerting to find out that your personal information has been impacted. Let’s take a look at what you need to know about Medicare data breaches.

How do I know if my personal information was affected by a data breach?

If your personally identifiable information (PII) and/or protected health information (PHI) is impacted by a data breach – either directly or via a third-party vendor – you will receive a letter through the U.S. Postal Service from the Centers for Medicare & Medicaid Services (CMS).1CMS will not call, email, or text you about a data breach or any action required on your part.

The letter will explain what happened, the specific PII and/or PHI that might have been compromised, what is being done to address the issue, and what steps, if any, you can or should take. You can read recent examples of these letters here and here.

In some cases, CMS will send a letter to a beneficiary but it is undeliverable and returned to CMS, so some people impacted by data breaches may not receive their letter from CMS. If you didn’t receive a letter but want to put your mind at ease, you can call 1-800- MEDICARE (1-800-633-4227) to ask directly whether your Medicare account has been involved in any data breaches.

If you receive a phone call, text, or email from someone saying they’re with Medicare and that you need a new card – or need to do anything related to getting a new card – this is likely a scam, and it resurfaces regularly.

Don’t provide any information to the caller, and don’t respond to a text or email. If possible, report the details to your state’s Senior Medicare Patrol.

What should I do if I suspect my Medicare information was leaked?

If you receive a Medicare data breach notification from CMS, you’ll want to carefully read the letter. If you don’t understand the details, you can call Medicare (1-800-MEDICARE) anytime you have a question or concern.

What information might be exposed in a data breach?

The information exposed in a breach of Medicare data will depend on the specifics of the breach. It could involve a variety of PII and/or PHI, including:

  • Your name, birthday, and contact information (mailing address, email address, phone number, etc.)
  • Your driver’s license or state ID number
  • Your Social Security Number or Individual Taxpayer Identification Number
  • Your Medicare Beneficiary Identifier (MBI) or Health Insurance Claim Number (HICN)
  • Your medical history and medical claims details, including data that appears on a Medicare Summary Notice, details about your medical providers and prescription drugs, etc.
  • Your health benefits and enrollment information, including details about Medicare Advantage, Medicare Part D, or Medigap coverage that you may have.

The letter you receive from CMS will explain the type of data that was or may have been compromised.

What can a scammer do with my Medicare number?

Your Medicare Beneficiary Identifier (MBI) is a unique ID number that goes with your Medicare account. If someone else obtains this number, they can use it to file fraudulent claims with Medicare to obtain medical care and equipment in your name.

Fraudulent claims affect both the government and the beneficiary. Medicare fraud, errors, and abuse are estimated to cost the government $60 billion each year.2This is obviously not always due to data breaches: The Medicare Fraud and Abuse handbook focuses almost entirely on medical providers who misuse or abuse the Medicare program. But Medicare identity theft, including identity theft that stems from data breaches, is one of the ways this can happen.

For beneficiaries whose MBI is used fraudulently, the result can be medical bills (deductible, copay, and coinsurance charges) for services they didn’t use, benefit caps being reached despite the person not obtaining services, and erroneous medical records that can be challenging to sort out.

If you receive a medical bill or a Medicare Summary Notice that doesn’t appear correct, you should contact the medical provider for clarification. If you suspect fraud or Medicare identity theft, call 1-800-MEDICARE or contact the Senior Medicare Patrol in your state for guidance.

Scammers use a variety of tactics to get Medicare beneficiaries to divulge their MBI. But these numbers can also be part of a data breach, and the information could be compromised even if the beneficiary doesn’t communicate with the scammer.

Are new Medicare cards being issued for 2023 or 2024?

Most Medicare beneficiaries are not receiving new Medicare cards at this time. However, if your MBI is impacted by a data breach, CMS will mail you a new card that has a new MBI. You’ll continue to use your current Medicare card until the new one arrives. At that point, you should destroy the old one and notify your medical providers that you have a new MBI.

In 2018 and 2019, CMS sent new Medicare cards to all beneficiaries, with new MBIs in place of the previous identification numbers that were based on Social Security Numbers. Those cards continue to be in use, and you do not need a new one unless CMS notifies you that your MBI has been impacted by a data breach.

What is being done to protect my Medicare data?

According to Experian, medical records are among the most valuable assets sold on the dark web, depending on how complete they are. So, Americans’ PII and PHI, including that of Medicare beneficiaries, continues to be a target for data hacks and breaches.

Breaches of Medicare data affect more people each year. In a 26-month period starting in late 2009, CMS notified approximately 14,000 Medicare beneficiaries that their data had been impacted by a breach. The notification process has improved since then, but the scope and number of healthcare data breaches has also grown sharply in recent years,3with hundreds of thousands of beneficiaries affected in recent data breaches.

An Office of the Inspector General audit, conducted in 2020, uncovered various cybersecurity weaknesses in the CMS system, all of which were remedied. And the government has taken extensive measures over the last several years to improve cybersecurity in healthcare.

But staying ahead of cyber threats is an ongoing process. A 2022 white paper published by Virginia Senator Mark Warner, notes that Medicare payment formulas need to be adjusted to ensure that the cost of cybersecurity is “reflected in [Medicare] payment formulas the way paying the electricity or water bills are.”4CMS and Medicare contractors will need to continue to adapt and evolve on this front, as is the case for all organizations that are vulnerable to data breaches.


Louise Norris is an individual health insurance broker who has been writing about health insurance and health reform since 2006. She has written dozens of opinions and educational pieces about Medicare for medicareresources.org since 2013.

Footnotes
  1. Medicare & You” Medicare.gov, Accessed January 2024 
  2. Dollars Lost to Fraud” Senior Medicare Patrol, Accessed December 2023 
  3. 2022 Healthcare Cybersecurity Year in Review and a 2023 Look-Ahead“ HHS.gov, Feb. 9, 2023 
  4. Cybersecurity is Patient Safety” Sen. Mark Warner, November 2022 
Find a plan.