A major cybersecurity incident has exposed sensitive personal and health records of tens of thousands of Americans.
In a notice, the Centers for Medicare & Medicaid Services (CMS) says 103,000 individuals across the United States with accounts on Medicare.gov are impacted by a data breach.
-->CMS says it discovered that user data had been compromised after receiving multiple complaints through its call center. According to the federal agency, hackers may have used information from external sources to collect data such as names, dates of birth, Medicare Beneficiary Identifiers, coverage start dates and ZIP codes to fraudulently create Medicare.gov accounts.
Once inside, the thieves gained access to more sensitive data, including provider details, mailing addresses, dates of service, diagnosis codes, services received and plan premiums.
“On May 2, 2025, representatives at our 1-800-MEDICARE call center flagged complaints from people with Medicare who had received a letter through the mail about the creation of a Medicare.gov account. However, these callers hadn’t created the accounts or asked anyone else to do it for them.
Noticing the similarities in the reports, we investigated further and discovered more cases of accounts created between 2023 and 2025 that matched this pattern. We quickly deactivated those accounts, while also launching a larger effort to find the bad actors who created them.”
The CMS is a federal agency under the U.S. Department of Health and Human Services tasked with overseeing the country’s healthcare programs, including Medicare, Medicaid, the Children’s Health Insurance Program and Health Insurance Marketplace.
The CMS is encouraging affected individuals to get a free credit report from each of the three major nationwide credit reporting companies. The agency also says that it hasn’t received any reports of identity fraud or improper use of personal information as a result of the incident.
