The Department of Health and Human Services Office of Inspector General (“OIG”) recently published a report, CMS Response to Breaches and Medical Identity Theft (“Report”), which referenced 14 breaches of medical information by the Centers for Medicare and Medicaid Services (CMS), including Medicare numbers, affecting nearly 14,000 beneficiaries in the past two years. Because the Medicare number includes a beneficiary's social security number, the risk of identity theft resulting from these breaches is significant. CMS's notification to the affected individuals routinely failed to meet the timeliness and content requirements imposed by the Health Information Technology for Economic and Clinical Health Act (HITECH Act). To address these and other breaches, CMS has set up a database of the Medicare numbers of 284,000 beneficiaries and 5,000 providers that have been involved in medical identity theft in the past and are regarded as vulnerable. The Report notes, however, that database users reported problems with the interface and that the database alone is not an adequate remedy.
CMS's continued use of social security numbers as Medicare numbers has been under scrutiny for several years. Since 2002, the U.S. Government Accountability Office (GAO) has repeatedly recommended that CMS use a different methodology in assigning Medicare numbers in order to protect social security numbers. In May 2008, the OIG issued a report urging CMS to remove social security numbers from Medicare cards in order to prevent identity theft. CMS has consistently refused to modify its methodology, citing logistical and cost constraints. In an August 2012 hearing before the House Ways and Means Committee, Tony Trenkle, CMS's Chief Information Officer, testified that transitioning to a new methodology "would be a task of enormous complexity and cost that, undertaken without sufficient planning, would present great risks to continued access to healthcare for Medicare beneficiaries." Mr. Trenkle estimated that the cost of a smooth transition could be as high as $845 million, and he cautioned the committee that the transition would mean a substantial change for physicians treating Medicare patients. This recent string of CMS data breaches has captured the attention of lawmakers, who once again are calling for CMS to act.