Active breach tracker Baltimore, Maryland Disclosed June 30, 2025

Centers for Medicare & Medicaid Services Data Breach 2025: 107,154 Beneficiaries Exposed in Medicare.gov Account-Takeover Scheme. What To Do.

CMS notified roughly 103,000 beneficiaries (the HHS OCR filing logs 107,154) that malicious actors used valid personal data obtained from unknown external sources to fraudulently create Medicare.gov accounts between 2023 and 2025. Once the accounts existed, attackers could access provider info, mailing address, diagnosis codes, dates of service, and plan premium details. CMS issued new Medicare Beneficiary Identifiers and new cards. Here is what to do.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Jan 1, 2023

Approximate start of the period when fraudulent Medicare.gov accounts were being created (CMS dates the activity to 2023-2025)

May 2, 2025

1-800-MEDICARE call center begins receiving calls from beneficiaries who received account-creation confirmation letters for accounts they did not create

Jun 30, 2025

CMS files breach report with HHS Office for Civil Rights (107,154 individuals; Hacking/IT Incident at Network Server)

Jul 1, 2025

CMS issues public press release and begins mailing notification letters; new Medicare cards with new MBIs being issued to affected beneficiaries

Data exposed

01

High-risk identity

Enables financial + identity theft

Date of birth

02

Health records

Don't expire and can't be reissued

Diagnosis codes (post-account-creation)

03

Contact & insurance

Phishing + targeted scams

Medicare Beneficiary Identifier (MBI) Coverage start date Last name ZIP code Mailing address (post-account-creation) Provider information (post-account-creation) Dates of service (post-account-creation) Services received (post-account-creation) Plan premium details (post-account-creation)
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

The Centers for Medicare & Medicaid Services - the federal agency that administers Medicare and Medicaid for roughly 160 million Americans - filed a HIPAA breach report with the HHS Office for Civil Rights on June 30, 2025, logging 107,154 affected individuals in a Hacking/IT Incident classified at Network Server. CMS’ public press release rounds the count to “approximately 103,000”; the higher OCR figure reflects the final tally submitted in the regulatory filing.

This was not a cyber intrusion into CMS systems. It was an account-takeover scheme: an unidentified threat actor used valid beneficiary personal data, obtained from “unknown external sources” per CMS, to fraudulently create Medicare.gov online accounts in beneficiaries’ names. Once those accounts existed, the attackers could see additional beneficiary data inside the portal. The compromised credentials almost certainly came from a third-party data breach elsewhere - not from CMS itself - but the agency has not named the upstream source.

Timeline

  • 2023-2025 — Malicious actors fraudulently create Medicare.gov accounts using valid beneficiary information (MBI, coverage start date, last name, date of birth, ZIP code) sourced externally.
  • May 2, 2025 — 1-800-MEDICARE call center begins receiving calls from beneficiaries who received written confirmation letters for accounts they had never opened. CMS opens its investigation.
  • June 30, 2025 — CMS files the breach with HHS OCR, logging 107,154 affected individuals.
  • July 1, 2025 — CMS issues a public press release and begins mailing individual notification letters. New Medicare cards with replacement MBIs are issued to affected beneficiaries.

What was exposed

The data used to create the fraudulent accounts (i.e., what the attackers already had in hand before logging in):

  • Medicare Beneficiary Identifier (MBI)
  • Coverage start date
  • Last name
  • Date of birth
  • ZIP code

Additional data the attackers may have viewed once inside the fraudulent Medicare.gov accounts:

  • Mailing address
  • Provider information
  • Dates of service
  • Diagnosis codes
  • Services received
  • Plan premium details

CMS has stated it is “not aware of any reports of identity fraud or misuse” tied to the incident.

Sensitive-population considerations

The affected population skews older and is structurally more vulnerable than the average breach victim. Medicare beneficiaries are overwhelmingly age 65 and older, disabled adults under 65, and people with end-stage renal disease. Many are on fixed incomes; many manage their own health care without an adult child or caregiver to help review mail and account statements; many are not regular online-account users. The Medicare.gov account is also a high-value target because it can be used to redirect provider correspondence, change communication preferences, and pull together a complete claims history - exactly the raw material for Medicare fraud schemes targeting seniors.

If you are helping a parent, grandparent, or older relative who is a Medicare beneficiary, treat any letter from CMS or Medicare about this incident as worth opening with them, not for them, and walk through the steps below together.

What CMS is offering

  • New Medicare Beneficiary Identifier (MBI) and new Medicare card mailed to each affected beneficiary. This is the central protective action - it invalidates the old number the attacker used.
  • Deactivation of all fraudulently created Medicare.gov accounts.
  • New control: account creation from foreign IP addresses has been disabled.
  • Ongoing claims monitoring for suspicious activity tied to affected MBIs.
  • Individual notification letters mailed to each affected beneficiary explaining the incident and the steps CMS is taking.

CMS did not publicly announce a complimentary credit-monitoring offering at the time of the notification. If your individual letter includes a credit-monitoring activation code, follow the instructions in the letter; otherwise the protective steps below apply.

Class-action posture

As of this writing, no class-action complaint against CMS over this specific incident has been publicly identified. That is consistent with the legal reality that the federal government enjoys sovereign-immunity defenses that make data-breach class actions against federal agencies harder to bring than against private companies. Plaintiff firms have not announced public investigations of this incident in the trade press tracked here. We update this page if that changes.

What to do — Medicare-fraud-specific guidance

  1. Read any letter from CMS or Medicare carefully. It will tell you whether you are one of the 107,154 affected beneficiaries and whether a new Medicare card with a new MBI is on its way. Do not throw it away.
  2. When the new Medicare card arrives, start using it immediately. Destroy the old card. Give the new MBI to your providers and your Medicare Advantage or Part D plan if you have one. The old MBI is the number the attacker had; the new one is the protection.
  3. Review your Medicare Summary Notice (MSN) or your Medicare Advantage Explanation of Benefits. Look for services, providers, dates, or equipment you do not recognize. Medicare fraud often shows up as durable medical equipment (back braces, knee braces, catheters), genetic-testing kits, or visits with providers you have never seen.
  4. Report suspected Medicare fraud to 1-800-MEDICARE (1-800-633-4227) or to the HHS Office of Inspector General hotline at 1-800-HHS-TIPS. Reports are confidential.
  5. Be on guard for phone scams that name-drop this breach. Real Medicare will not call you out of the blue to “confirm” your new MBI, ask for your Social Security number, or ask for a payment to “activate” your new card. If a caller does any of those things, hang up and call 1-800-MEDICARE directly using the number on the back of your card.
  6. Consider freezing your credit with all three nationwide consumer reporting agencies (Equifax, Experian, TransUnion). It is free, can be done by phone or online, and is the single highest-leverage step against new-account identity theft. This is general identity-theft hygiene; even though CMS has not reported Social Security number exposure for this specific incident, the underlying compromise that fed the attackers’ Medicare.gov inputs may have included other data not yet attributed.
  7. Bookmark this page. We update it as new public information becomes available.

Sources

I confirm this entry is sourced to CMS’ own press release plus HIPAA Journal, GovInfoSecurity, Newsweek, and the HHS OCR portal record, and is distinct from the 2024 Wisconsin Physicians Service / MOVEit incident (946,801 beneficiaries) that involved a CMS contractor rather than the Medicare.gov account-creation channel.

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.