How long had the fraudulent Medicare.gov account creation been occurring?

The CMS investigation discovered that malicious actors had fraudulently created new accounts between 2023 and 2025 using valid beneficiary information. The systematic nature of the account creation and the extended timeframe indicate an organized and persistent scam campaign spanning multiple years.

What information was compromised in the CMS Medicare fraud incident?

The exposed data includes Medicare Beneficiary Identifiers (MBI), coverage start dates, last names, dates of birth, zip codes, mailing addresses, provider information, dates of service, diagnosis codes, services received, and plan premium details. Once unauthorized accounts were established, threat actors gained access to additional sensitive information stored within the Medicare system.

Are there any reports of identity fraud resulting from this CMS incident?

CMS has stated it is not aware of any reports of identity fraud or misuse of the information as a direct result of this activity. However, the compromised information could potentially be used for identity theft, healthcare fraud, or other criminal activities.

What should Medicare beneficiaries do if they think they were affected?

Medicare beneficiaries should watch for their written notification from CMS, monitor their Medicare statements for unauthorized services, check their credit reports for suspicious activity, be cautious of healthcare-related phishing attempts, and contact 1-800-MEDICARE if they notice any unauthorized activity on their Medicare benefits or receive suspicious communications.

How were the fraudulent Medicare.gov accounts initially detected?

The fraudulent accounts were detected when beneficiaries began calling the 1-800-MEDICARE call center after receiving official letters confirming the creation of Medicare.gov accounts they had never requested or initiated themselves.

What makes this CMS incident particularly concerning?

This incident is particularly concerning because it involved systematic, organized fraud over an extended period (2023-2025), affected over 100,000 beneficiaries, and exposed comprehensive healthcare and personal information that could be used for various types of fraud and identity theft. The fraudsters had access to detailed Medicare beneficiary information from unknown external sources.

Could this CMS incident lead to healthcare fraud?

Yes, the compromised information includes provider information, dates of service, diagnosis codes, services received, and plan premium details, which could potentially be used for healthcare fraud schemes. Beneficiaries should carefully review all Medicare statements and reports for unauthorized services or claims.

What does this incident reveal about Medicare.gov security?

This incident reveals that Medicare.gov's account creation process previously lacked sufficient verification measures to prevent fraudulent account creation using stolen beneficiary information. CMS has since implemented enhanced verification procedures and geographic restrictions to strengthen security controls.

Where did the fraudsters obtain the beneficiary information used to create accounts?

The source of the beneficiary information used to create the fraudulent accounts is unknown. CMS has indicated that the information was obtained from external sources, suggesting the fraudsters had access to comprehensive Medicare beneficiary data from some undisclosed breach or data source.

Incident

Centers for Medicare & Medicaid warn 103,000 beneficiaries of unauthorized Medicare.gov account creation

Q: What security incident occurred at the Centers for Medicare & Medicaid Services (CMS)?

CMS is reporting a security incident involving unauthorized creation of Medicare.gov accounts affecting approximately 103,000 beneficiaries across the United States. Malicious actors systematically created false online accounts using legitimate beneficiary information obtained from unknown external sources, potentially exposing sensitive healthcare and personal information over multiple years.

Q: How did the fraudsters create the unauthorized Medicare.gov accounts?

Malicious actors fraudulently created new accounts using valid beneficiary information, including Medicare Beneficiary Identifiers, coverage start dates, last names, dates of birth, and zip codes. This information was obtained from unknown external sources, suggesting the fraudsters had access to comprehensive Medicare beneficiary data.

Q: What security measures has CMS implemented to prevent future incidents?

CMS has disabled the ability to create new Medicare.gov accounts from non-US IP addresses, implemented enhanced verification procedures for new account creation, and is monitoring Medicare claims data for suspicious activity to prevent similar incidents in the future.

published: July 2, 2025

Take action: As an individual, be very careful what data is available online about you. Be very selfish with your data, because it can be abused to impersonate you. As a developer, consider that an attacker can scrape data for someone else, and implement controls that can stop such impersonation by mechanisms for extra verification.

Learn More

The Centers for Medicare & Medicaid Services (CMS) is reporting a security incident of unauthorized creation of Medicare.gov accounts affecting approximately 103,000 beneficiaries across the United States. The incident is a fraud scheme where malicious actors systematically created false online accounts using legitimate beneficiary information obtained from unknown external sources, potentially exposing sensitive healthcare and personal information over an extended period spanning multiple years.

The security incident was discovered on May 2, 2025, when CMS's 1-800-MEDICARE call center began receiving inquiries from confused beneficiaries who had received official letters confirming the creation of Medicare.gov accounts they had never initiated.

The CMS investigation discovered that malicious actors had fraudulently created new accounts between 2023 and 2025 using valid beneficiary information, including Medicare Beneficiary Identifiers, coverage start dates, last names, dates of birth, and zip codes. The systematic nature of the account creation and the extended timeframe indicate an organized and persistent scam campaign.

Once the unauthorized accounts were established, the threat actors gained access to additional sensitive information stored within the Medicare system, significantly expanding the scope of potentially compromised data which can be used for identity theft, healthcare fraud, or other criminal activities. Exposed data includes:

Medicare Beneficiary Identifiers (MBI)
Coverage start dates
Last names
Dates of birth
Zip codes
Mailing addresses
Provider information
Dates of service
Diagnosis codes
Services received
Plan premium details

The incident affected approximately 103,000 Medicare beneficiaries whose personal information was used to create the fraudulent accounts. CMS has stated it is not aware of any reports of identity fraud or misuse of the information as a direct result of this activity.

Following detection of the incident, CMS deactivated all fraudulently created Medicare.gov accounts and implement additional security measures including disabling the ability to create new Medicare.gov accounts from non-US IP addresses. The agency is also monitoring Medicare claims data for suspicious activity and has implemented enhanced verification procedures for new account creation to prevent similar incidents in the future.

CMS is mailing written notifications to all potentially affected beneficiaries, providing detailed information about the incident, outlining the steps being taken to protect their information, and offering guidance on additional protective measures they can take.

Centers for Medicare & Medicaid warn 103,000 beneficiaries of unauthorized Medicare.gov account creation

Read More
Hackers breach Belgian intelligence mail through vulnerable Barracuda …
Greenville municipality hit by ransomware attack
LA County Superior Court hit by ransomware attack …
Barbados Revenue Authority investigating data breach of vehicle …
Trumbull County reports data breach originating from third-party …