[Guest Post]Medicare Breach Disclosure
Medicare lost medical records of 103K and their disclosure raises additional questions
This week, I’m excited to feature
of Cybersecurity Disclosure Review. His work shines a light on exactly why that trust so often proves misplaced. Joe has built a reputation for dissecting how organizations—particularly public companies—try to bury or soften the truth when disclosing data breaches. His newsletter has quickly become essential reading for anyone who wants to see past the bland corporate statements and understand what really happened.Today, he’s bringing that same sharp analysis to Medicare’s recent disclosure of a breach impacting 103,000 patients. The official statements are filled with bureaucratic language, partial admissions, and a convenient invocation of “unknown external sources” to explain how this data fell into criminal hands.
In this guest post, Joe breaks down:
Why that phrase should raise immediate red flags
What the timeline of the compromise implies about detection failures
How familiar patterns of reactive (instead of proactive) risk management keep repeating in healthcare
And why the scale and specificity of the breach points to potential weak links outside any central Medicare database
If you’ve ever wondered how your most sensitive data ends up circulating on the dark web—and why the disclosures rarely tell the full story—this is a must-read.
I know the community is hungry for these insider type posts to understand what’s really happening.
Enjoy, show some love with a like, comment, restack and if you really like it consider subscribing.
One of the most common questions I get asked from family and friends regarding cybersecurity:
“Is it safe to give my personal information to <insert random app>?
My response is usually something along these lines: “well…you gave your health insurance company your personal information.”
The health industry is responsible for a significant portion of the personal information circulating on the dark web. So it shouldn’t be surprising to hear that Medicare (or someone with access to Medicare records) has lost the data of 103,000 patients. Their disclosure on this matter is worth digging into.
The opening paragraph of the disclosure has a concerning statement:
“The Centers for Medicare & Medicaid Services (CMS) is notifying Medicare beneficiaries whose personal information may have been involved in a data incident affecting Medicare.gov accounts. CMS identified suspicious activity related to unauthorized creation of certain beneficiary online accounts using personal information obtained from unknown external sources.”
“Unknown external sources” is unsettling. Is the problem fixed? The compromised Medicare data was created by and stored by CMS. To make a statement that the data was “obtained from unknown external sources” is not only absolving yourself of responsibility for the breach but also admitting you had no idea who was insecurely storing this information. I do think they know more about this situation than the statement reveals. To know that exactly 103K victims were impacted is oddly specific, and you can probably draw some conclusions based on the impacted patients.
So what could possibly be the source of such a breach? While 103K is a very large number, it is well short of the 65+ million currently on Medicare. And standard threat actor behavior is to take all information they have access to. So the question I ask is: who would have information on 103K Medicare patients, and that represents all the data the threat actor could extract?
I think we can rule out any type of central Medicare database.
The health insurance companies would also likely have a number larger than this.
Hospitals, a large hospital might potentially fit the bill of housing 103K Medicare patients.
Let’s take a look at another statement in the disclosure:
“On May 2, 2025, CMS’ 1-800-MEDICARE call center began receiving inquiries from beneficiaries who received letters confirming the creation of Medicare.gov accounts they did not initiate. CMS promptly launched an investigation and discovered that malicious actors had fraudulently created new accounts between 2023 and 2025 using valid beneficiary information, including Medicare Beneficiary Identifiers (MBI), coverage start date, last name, date of birth, and zip code.”
The exploitation of data starts taking place in 2023. So it’s a good bet the breach occurred in 2022 or 2023. There may have been an extended ransomware attempt before using the data, so you can’t rule out earlier than that. But for the sake of a manageable investigation, let’s find out what hospitals were hit during this time frame.
I had ChatGPT in deep research mode provide a list of hospitals that were breached in 2022 or 2023 that could have potentially served over 103K Medicare patients over the last 10 years. The time period could have been much shorter than 10 years depending on a number of factors, but we’ll start here.
That is just a purely hypothetical list of potential suspects based on the contents of the disclosure.
Other Red Flags from This Disclosure
There are certainly some other head scratchers in this disclosure:
“On May 2, 2025, CMS’ 1-800-MEDICARE call center began receiving inquiries from beneficiaries who received letters confirming the creation of Medicare.gov accounts they did not initiate…malicious actors had fraudulently created new accounts between 2023 and 2025”
The CMS appears to be admitting here that this exploit has been ongoing since 2023, but it wasn’t until 2025 that they caught on. This would suggest a lack of internal fraud detection within the CMS itself, outside of the unknown source that was breached.
“CMS is not aware of any reports of identity fraud or misuse of the information as a direct result of this activity. Nevertheless, out of an abundance of caution, CMS is taking proactive steps to safeguard beneficiary information.”
Creating a Medicare account using stolen information is identity fraud itself. I think what they’re trying to say is that identity fraud hasn’t occurred outside of Medicare, but still a poor choice of words.
“CMS disabled the ability to create new Medicare.gov accounts from foreign IP addresses to prevent further exploitation.”
This is classic reactive risk management instead of proactive. There are very few exceptions for needing to register an online Medicare account outside of the USA. A manual process for these rare exceptions can surely suffice. The private sector has been blocking foreign IPs for a variety of reasons for years now. I can’t think of a situation where this proactive protective measure shouldn’t have been in place already.
So there you have it. If you think about the way the US medical industry works, you go to a hospital and give them your insurance information. That data is then entered into the data systems of hospitals of varying size and security posture, without any oversight from the insurance providers, whether they are Medicare or private carriers. It’s not surprising to see the health industry consistently struggle with data loss. As more data becomes available perhaps we can analyze exactly what went wrong in this instance.
Thanks so much to Joe
What a great look behind the scenes from a seasoned pro. If you’d like to be featured on a future Guest Post Tuesday, please reach out. You can send me a message or message me securely on Signal at btfprivacy.87
Until Next Time…
Just one more of many disclosures that can make each of us become numb to such breaches, and yet, we need to know. We have too many ways for more people to be marginalized via the posting of such information on the dark web and from the everyman standpoint, it's hard to fight back.