Centers for Medicare & Medicaid Services Data Breach 2025: 107,154 Beneficiaries Exposed in Medicare.gov Account-Takeover Scheme. What To Do.
CMS notified roughly 103,000 beneficiaries (the HHS OCR filing logs 107,154) that malicious actors used valid personal data obtained from unknown external sources to fraudulently create Medicare.gov accounts between 2023 and 2025. Once the accounts existed, attackers could access provider info, mailing address, diagnosis codes, dates of service, and plan premium details. CMS issued new Medicare Beneficiary Identifiers and new cards. Here is what to do.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Jan 1, 2023
Approximate start of the period when fraudulent Medicare.gov accounts were being created (CMS dates the activity to 2023-2025)
May 2, 2025
1-800-MEDICARE call center begins receiving calls from beneficiaries who received account-creation confirmation letters for accounts they did not create
Jun 30, 2025
CMS files breach report with HHS Office for Civil Rights (107,154 individuals; Hacking/IT Incident at Network Server)
Jul 1, 2025
CMS issues public press release and begins mailing notification letters; new Medicare cards with new MBIs being issued to affected beneficiaries
Jan 1, 2023
Approximate start of the period when fraudulent Medicare.gov accounts were being created (CMS dates the activity to 2023-2025)
May 2, 2025
1-800-MEDICARE call center begins receiving calls from beneficiaries who received account-creation confirmation letters for accounts they did not create
Jun 30, 2025
CMS files breach report with HHS Office for Civil Rights (107,154 individuals; Hacking/IT Incident at Network Server)
Jul 1, 2025
CMS issues public press release and begins mailing notification letters; new Medicare cards with new MBIs being issued to affected beneficiaries
Data exposed
01
High-risk identity
Enables financial + identity theft
02
Health records
Don't expire and can't be reissued
03
Contact & insurance
Phishing + targeted scams
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
The Centers for Medicare & Medicaid Services - the federal agency that administers Medicare and Medicaid for roughly 160 million Americans - filed a HIPAA breach report with the HHS Office for Civil Rights on June 30, 2025, logging 107,154 affected individuals in a Hacking/IT Incident classified at Network Server. CMS’ public press release rounds the count to “approximately 103,000”; the higher OCR figure reflects the final tally submitted in the regulatory filing.
This was not a cyber intrusion into CMS systems. It was an account-takeover scheme: an unidentified threat actor used valid beneficiary personal data, obtained from “unknown external sources” per CMS, to fraudulently create Medicare.gov online accounts in beneficiaries’ names. Once those accounts existed, the attackers could see additional beneficiary data inside the portal. The compromised credentials almost certainly came from a third-party data breach elsewhere - not from CMS itself - but the agency has not named the upstream source.
Timeline
- 2023-2025 — Malicious actors fraudulently create Medicare.gov accounts using valid beneficiary information (MBI, coverage start date, last name, date of birth, ZIP code) sourced externally.
- May 2, 2025 — 1-800-MEDICARE call center begins receiving calls from beneficiaries who received written confirmation letters for accounts they had never opened. CMS opens its investigation.
- June 30, 2025 — CMS files the breach with HHS OCR, logging 107,154 affected individuals.
- July 1, 2025 — CMS issues a public press release and begins mailing individual notification letters. New Medicare cards with replacement MBIs are issued to affected beneficiaries.
What was exposed
The data used to create the fraudulent accounts (i.e., what the attackers already had in hand before logging in):
- Medicare Beneficiary Identifier (MBI)
- Coverage start date
- Last name
- Date of birth
- ZIP code
Additional data the attackers may have viewed once inside the fraudulent Medicare.gov accounts:
- Mailing address
- Provider information
- Dates of service
- Diagnosis codes
- Services received
- Plan premium details
CMS has stated it is “not aware of any reports of identity fraud or misuse” tied to the incident.
Sensitive-population considerations
The affected population skews older and is structurally more vulnerable than the average breach victim. Medicare beneficiaries are overwhelmingly age 65 and older, disabled adults under 65, and people with end-stage renal disease. Many are on fixed incomes; many manage their own health care without an adult child or caregiver to help review mail and account statements; many are not regular online-account users. The Medicare.gov account is also a high-value target because it can be used to redirect provider correspondence, change communication preferences, and pull together a complete claims history - exactly the raw material for Medicare fraud schemes targeting seniors.
If you are helping a parent, grandparent, or older relative who is a Medicare beneficiary, treat any letter from CMS or Medicare about this incident as worth opening with them, not for them, and walk through the steps below together.
What CMS is offering
- New Medicare Beneficiary Identifier (MBI) and new Medicare card mailed to each affected beneficiary. This is the central protective action - it invalidates the old number the attacker used.
- Deactivation of all fraudulently created Medicare.gov accounts.
- New control: account creation from foreign IP addresses has been disabled.
- Ongoing claims monitoring for suspicious activity tied to affected MBIs.
- Individual notification letters mailed to each affected beneficiary explaining the incident and the steps CMS is taking.
CMS did not publicly announce a complimentary credit-monitoring offering at the time of the notification. If your individual letter includes a credit-monitoring activation code, follow the instructions in the letter; otherwise the protective steps below apply.
Class-action posture
As of this writing, no class-action complaint against CMS over this specific incident has been publicly identified. That is consistent with the legal reality that the federal government enjoys sovereign-immunity defenses that make data-breach class actions against federal agencies harder to bring than against private companies. Plaintiff firms have not announced public investigations of this incident in the trade press tracked here. We update this page if that changes.
What to do — Medicare-fraud-specific guidance
- Read any letter from CMS or Medicare carefully. It will tell you whether you are one of the 107,154 affected beneficiaries and whether a new Medicare card with a new MBI is on its way. Do not throw it away.
- When the new Medicare card arrives, start using it immediately. Destroy the old card. Give the new MBI to your providers and your Medicare Advantage or Part D plan if you have one. The old MBI is the number the attacker had; the new one is the protection.
- Review your Medicare Summary Notice (MSN) or your Medicare Advantage Explanation of Benefits. Look for services, providers, dates, or equipment you do not recognize. Medicare fraud often shows up as durable medical equipment (back braces, knee braces, catheters), genetic-testing kits, or visits with providers you have never seen.
- Report suspected Medicare fraud to 1-800-MEDICARE (1-800-633-4227) or to the HHS Office of Inspector General hotline at 1-800-HHS-TIPS. Reports are confidential.
- Be on guard for phone scams that name-drop this breach. Real Medicare will not call you out of the blue to “confirm” your new MBI, ask for your Social Security number, or ask for a payment to “activate” your new card. If a caller does any of those things, hang up and call 1-800-MEDICARE directly using the number on the back of your card.
- Consider freezing your credit with all three nationwide consumer reporting agencies (Equifax, Experian, TransUnion). It is free, can be done by phone or online, and is the single highest-leverage step against new-account identity theft. This is general identity-theft hygiene; even though CMS has not reported Social Security number exposure for this specific incident, the underlying compromise that fed the attackers’ Medicare.gov inputs may have included other data not yet attributed.
- Bookmark this page. We update it as new public information becomes available.
Sources
- CMS Press Release: Notifies Individuals Potentially Impacted by Data Incident — the agency’s own statement and the basis for most reporting on this incident.
- HIPAA Journal: CMS Notifies 103,000 Medicare Beneficiaries About Unauthorized Account Creation — trade-press summary with timeline and data-element list.
- BankInfoSecurity / GovInfoSecurity: Feds Notify 103,000 Medicare Beneficiaries of Scam, Breach — independent confirmation of scope and CMS response measures.
- Newsweek: 100,000 Americans To Get New Medicare Numbers After Data Incident — general-press coverage focused on the new-MBI remediation.
- HHS Office for Civil Rights Breach Portal — the federal regulatory record of this breach (107,154 individuals; Hacking/IT Incident at Network Server; filed 2025-06-30).
I confirm this entry is sourced to CMS’ own press release plus HIPAA Journal, GovInfoSecurity, Newsweek, and the HHS OCR portal record, and is distinct from the 2024 Wisconsin Physicians Service / MOVEit incident (946,801 beneficiaries) that involved a CMS contractor rather than the Medicare.gov account-creation channel.
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- CMS Press Release: Notifies Individuals Potentially Impacted by Data Incident
- HIPAA Journal: CMS Notifies 103,000 Medicare Beneficiaries About Unauthorized Account Creation
- BankInfoSecurity / GovInfoSecurity: Feds Notify 103,000 Medicare Beneficiaries of Scam, Breach
- Newsweek: 100,000 Americans To Get New Medicare Numbers After Data Incident
- HHS Office for Civil Rights Breach Portal
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.