The Centers for Medicare & Medicaid Services has announced that the personal data of over 100,000 Medicare recipients might have been compromised in what they’re calling a “data incident.” Some of those affected will be issued new identification numbers.
In a recent announcement, CMS reported that around 103,000 individuals could have been impacted by unauthorized access to their information, which includes plan premium details and service records like mailing addresses, last names, dates of birth, zip codes, treatment details, and diagnostic codes.
The issue came to light when CMS noted unusual activity tied to Medicare.gov accounts on May 2, 2025. Call Centers began fielding inquiries from beneficiaries who received letters about accounts they had not set up themselves.
An unspecified entity, referred to as a “malicious actor,” is believed to have created these accounts between 2023 and 2025. CMS has since deactivated suspicious accounts and has restricted new account creation from foreign IP addresses.
Those potentially affected will soon receive letters that outline the situation and provide a new Medicare ID number and card. CMS indicates that, at this time, there’s no evidence of identity theft linked to this data breach.
What to Do if You’re Concerned About Your Medicare Account
CMS suggests that Medicare recipients closely monitor their account activities. They recommend the following actions:
- Review Medicare summary notices and explanations of benefits for any unfamiliar charges or services.
- Report any suspicious activity to 1-800-Medicare (1-800-633-4227) or the inspector general’s fraud reporting site.
- Request your free annual credit report from annualcreditreport.com or by calling 1-877-322-8228.
- If you suspect identity theft, contact 1-877-IDTHEFT (1-877-438-4338) or reach out to your local law enforcement and the Federal Trade Commission.
- For more questions or concerns, don’t hesitate to contact 1-800-Medicare (1-800-633-4227).
