Cybersecurity

Medicare administrative contractor news includes a data breach and potential consolidation

The breach exposed the information of nearly 950,000 beneficiaries whose claims go through the affected contractor.

September 9, 2024 4:36 pm

Recent happenings involving Medicare administrative contractors (MACs) include a notice of a data breach and a request for feedback on possible consolidation.

CMS sent out word that nearly 950,000 Medicare beneficiaries whose claims go through Wisconsin Physicians Service Insurance Corporation (WPS) are being informed that their protected health information or other personally identifiable information may have been compromised due to a security vulnerability in third-party software.

The breach also could have affected those with other insurance if their information was collected to support CMS’s audits of healthcare providers, according to a news release.

Belying its name, WPS handles Medicare Parts A and B claims spanning Indiana, Iowa, Kansas, Michigan, Missouri and Nebraska (not Wisconsin).

Details on the breach

The data exposure took place over five days in May 2023, allowing unauthorized third parties to gain access to information in files that were transferred using MOVEit software during claims processing.

In an investigation soon after the incident, WPS did not find evidence that an unauthorized party accessed the vulnerable files, the contractor and CMS said. But after “new information” came in a year later, an additional review assisted by a cybersecurity firm found that an unauthorized party did copy files from the MOVEit transfer system.

Following that discovery, a review suggested the impacted files did not contain personal information. But in early July, when evaluating a different portion of the files, WPS found that personal information was exposed. The contractor then informed CMS.

The exposed information includes names, Social Security numbers/taxpayer identification numbers, dates of birth, mailing addresses, hospital account numbers, dates of service, Medicare beneficiary identifiers (MBIs) and health insurance claim numbers.

As with other breaches across industries, including this year’s cyberattack on Change Healthcare, affected consumers are being offered free credit monitoring and the opportunity to download a complimentary credit report.

Beneficiaries whose MBI may have been exposed will receive a new number from CMS but can continue to use their current Medicare cards in the meantime, according to the notice.

Potential MAC consolidation

Healthcare stakeholders are invited to answer CMS’s request for information on possibly merging four MAC jurisdictions into two.

One such arrangement would consolidate the jurisdiction covering Iowa, Kansas, Missouri and Nebraska (Jurisdiction 5, administered by WPS) with the one for Illinois, Minnesota and Wisconsin (Jurisdiction 6, administered by National Government Services). The latter, in addition to handling Parts A and B claims for those three states, has responsibility for home health and hospice claims for more than 15 states and U.S. territories.

Another consolidation would combine a jurisdiction covering Indiana and Michigan (Jurisdiction 8, administered by WPS) with the one serving Kentucky and Ohio (Jurisdiction 15, administered by CGS Administrators). The second jurisdiction also processes home health and hospice claims for more than 15 states.

Among the issues CMS seeks to understand better via the RFI are challenges that could arise for communication between MACs and providers if the jurisdictions are consolidated.

CMS also is soliciting feedback on a proposal to extend the duration of future MAC contracts from seven years to 10, saying it believes “awarding 10-year contracts will motivate contractors to be more innovative and efficient because contractors would have more time to achieve a return on their investment and drive down costs.”

The RFI seeks input on metrics and evaluation criteria to assess the education and outreach a MAC would offer to providers under a longer contract. Comments on the RFI are due by Oct. 4.

Advertisements

googletag.cmd.push( function () { googletag.display( 'hfma-gpt-text1' ); } );
googletag.cmd.push( function () { googletag.display( 'hfma-gpt-text2' ); } );
googletag.cmd.push( function () { googletag.display( 'hfma-gpt-text3' ); } );
googletag.cmd.push( function () { googletag.display( 'hfma-gpt-text4' ); } );
googletag.cmd.push( function () { googletag.display( 'hfma-gpt-text5' ); } );
googletag.cmd.push( function () { googletag.display( 'hfma-gpt-text6' ); } );
googletag.cmd.push( function () { googletag.display( 'hfma-gpt-text7' ); } );
googletag.cmd.push( function () { googletag.display( 'hfma-gpt-leaderboard' ); } );