CMS Alerts 103,000 Medicare Beneficiaries to Potential Data Breach Involving Unauthorized Account Creation

Centers for Medicare & Medicaid Services

WASHINGTON, D.C. — The Centers for Medicare & Medicaid Services (CMS) has announced that approximately 103,000 Medicare beneficiaries may have had personal information compromised in a data incident involving unauthorized online account creation.

According to CMS, the breach was identified after calls to the 1-800-MEDICARE line revealed that some beneficiaries had received unexpected confirmation letters for new Medicare.gov accounts they did not create. An internal investigation found that, between 2023 and 2025, malicious actors fraudulently used valid beneficiary data — including Medicare Beneficiary Identifiers, coverage start dates, and other personal details — to establish unauthorized accounts.

Once these accounts were active, the perpetrators potentially accessed sensitive information such as provider details, service dates, diagnosis codes, and plan premium data. While there is no evidence so far of identity theft or misuse linked directly to this incident, CMS emphasized that it is taking extensive precautionary measures.

In response, CMS has deactivated all fraudulently created accounts and blocked new account creation from foreign IP addresses. Impacted beneficiaries are receiving mailed notifications with detailed instructions. New Medicare cards with updated identifiers are being issued to strengthen security.

CMS urges beneficiaries to review their Medicare statements carefully, report any suspicious charges, and consider obtaining free credit reports. Further guidance is available through 1-800-MEDICARE.

The agency reiterated its commitment to protecting personal information and is continuing to monitor the situation closely to prevent further unauthorized access.

For the latest news on everything happening in Chester County and the surrounding area, be sure to follow MyChesCo on Google News and MSN.