The Centers for Medicare & Medicaid Services (CMS) is informing Medicare beneficiaries that their personal information might be involved in a data incident impacting their Medicare.gov accounts. The CMS utilized information obtained from unknown external sources to detect unusual activities linked to the fraudulent creation of certain online beneficiary accounts. They are treating this matter with utmost seriousness, as ensuring the security of personally identifiable information is extremely important to them.
Once the incident was identified, the CMS promptly disabled affected patient accounts, investigated the extent of the compromise, and worked to lessen the impact on those involved. They are collaborating with relevant stakeholders to thoroughly investigate the situation.
About 103,000 beneficiaries might have been impacted by this issue. Notifications will be mailed to these individuals, detailing the situation, advising steps to protect their information, and outlining further actions they can take.
Here’s an example of the letters sent to those potentially affected.
Dear ____________________________________________________________________________________________________________________________
This letter is to inform you about incidents that concern your personal information linked to your Medicare.gov account. To ensure your privacy, we will be sending you a new Medicare card with a new Medicare number in the coming weeks.
This incident involves unknown individuals who accessed your data from sources we do not know and created a Medicare.gov account fraudulently.
We’re providing this letter to help you understand what happened, how we’re addressing it, and additional steps you can take to safeguard your privacy. Please note that your current Medicare benefits or compensation remain unaffected by this incident.
What transpired?
On May 2, 2025, CMS’s 1-800 Medicare Call Center began receiving calls from beneficiaries who received letters confirming the creation of a Medicare.gov account. CMS initiated an investigation and found that between 2023 and 2025, unknown malicious actors had created fraudulent accounts using legitimate beneficiary information like Medicare Beneficiary Identifier (MBI), coverage start date, last name, date of birth, and postal code.
Once these unauthorized accounts were created, it’s likely that these bad actors accessed further sensitive data, which could include:
- Provider information
- Mailing address
- Service dates
- Diagnostic codes
- Details of services received
- Plan premium details
At this time, CMS hasn’t received reports of information fraud or misuse directly linked to this activity. Nevertheless, proactive measures are being implemented to protect beneficiary information.
What measures are being taken?
- CMS has swiftly deactivated all unauthorized Medicare.gov accounts.
- They have blocked the creation of new Medicare.gov accounts from foreign IP addresses to avoid further misuse.
- CMS continues monitoring billing data for any suspicious activity and is replacing MBIs for affected individuals.
- New Medicare cards with updated MBIs will be mailed to beneficiaries as needed.
What steps can beneficiaries take?
Beneficiaries are encouraged to:
- Review Medicare summary notifications and explanations of benefits for any unfamiliar charges or services.
- Report suspicious activities to the inspector’s office by calling 1-800-Medicare (1-800-633-4227) or visiting oig.hhs.gov/fraud/report-fraud/.
- Obtain a free annual credit report at www.annualcreditreport.com or by calling 1-877-322-8228.
- Contact 1-877-IDTHEFT (1-877-438-4338) or visit www.ftc.gov/idtheft to report identity theft concerns to local law enforcement and/or the Federal Trade Commission.
If you have additional questions or need further information, you can reach out to 1-800-Medicare (1-800-633-4227).
