Medicare data breach affects over 100,000—here’s what you need to know now
- Replies 0
If you’re one of the millions of Americans enrolled in Medicare, this news may be cause for concern.
Over 100,000 beneficiaries are receiving new Medicare numbers after a data breach involving unauthorized online accounts.
The incident, uncovered by the Centers for Medicare & Medicaid Services (CMS), highlights the growing risk of identity-related fraud in healthcare.
It’s a reminder that even trusted systems aren’t immune to cyber threats.
Here’s what happened, who’s affected, and how you can protect yourself moving forward.
Earlier this month, CMS began mailing letters to approximately 103,000 Medicare users after detecting suspicious activity tied to the creation of Medicare.gov accounts.
These weren’t standard account sign-ups—someone used real personal details to set up fake online accounts in other people’s names.
The compromised information may include Medicare Beneficiary Identifiers (MBIs), names, birth dates, ZIP codes, and coverage start dates.
In some cases, additional data such as mailing addresses, provider names, service details, and medical codes may also have been visible.
The breach was flagged on May 2 after CMS’s call center received several inquiries from people who were confused by confirmation letters for online Medicare accounts they never created.
A quick investigation revealed that between 2023 and 2025, bad actors had used legitimate personal data—likely obtained through other sources—to open unauthorized accounts.
At this time, there’s no confirmed evidence that the data has been used for fraud.
Still, CMS is acting out of caution by issuing new Medicare cards and launching a full investigation.
Medicare plays a vital role in the lives of older adults, and a breach like this is understandably unsettling.
Even if you didn’t receive a letter, the incident is a wake-up call: cybercriminals are increasingly targeting health data because it can be harder to change and more valuable than a stolen credit card.
Information like diagnosis codes and plan details could potentially be used for fraudulent billing or identity theft—so staying vigilant is more important than ever.
If you were notified by CMS, here’s what you should do:
Even if you weren’t impacted this time, it’s a good idea to brush up on some basic security practices:
Healthcare information has become a top target for cybercriminals.
Unlike a bank account or credit card number, you can’t easily change your medical history or Social Security number.
In fact, the Department of Justice recently reported one of the largest healthcare fraud cases in history—nearly $15 billion in losses tied to misuse of medical data.
This kind of data breach isn’t just a bureaucratic issue—it’s a reminder that we all have a role to play in protecting our personal information.
While this news may be unsettling, it’s also a powerful reminder of how far a little caution can go.
Take the steps you need to protect yourself, stay informed, and remember—you have every right to feel secure in your healthcare and your identity.
Read next: Are your devices at risk? Experts warn ransomware attacks could surge as young hackers team up with Russian cybercriminals
Did you receive a letter from CMS? Are you worried about how your Medicare data is being handled? Have you experienced identity theft in the past and have advice for others?
We’d love to hear from you. Share your thoughts and questions in the comments below—your experience might help someone else stay ahead of a scam or avoid future risk.
Over 100,000 beneficiaries are receiving new Medicare numbers after a data breach involving unauthorized online accounts.
The incident, uncovered by the Centers for Medicare & Medicaid Services (CMS), highlights the growing risk of identity-related fraud in healthcare.
It’s a reminder that even trusted systems aren’t immune to cyber threats.
Here’s what happened, who’s affected, and how you can protect yourself moving forward.
More than 100,000 Medicare recipients are receiving new cards after a data breach involving unauthorized online account creation. Image Source: YouTube / NBC4 Columbus.
What happened—and what was exposed?
Earlier this month, CMS began mailing letters to approximately 103,000 Medicare users after detecting suspicious activity tied to the creation of Medicare.gov accounts.
These weren’t standard account sign-ups—someone used real personal details to set up fake online accounts in other people’s names.
The compromised information may include Medicare Beneficiary Identifiers (MBIs), names, birth dates, ZIP codes, and coverage start dates.
In some cases, additional data such as mailing addresses, provider names, service details, and medical codes may also have been visible.
Also read: Is your personal data safe? LexisNexis breach exposes sensitive info of over 364,000 Americans
How was the breach discovered?
The breach was flagged on May 2 after CMS’s call center received several inquiries from people who were confused by confirmation letters for online Medicare accounts they never created.
A quick investigation revealed that between 2023 and 2025, bad actors had used legitimate personal data—likely obtained through other sources—to open unauthorized accounts.
At this time, there’s no confirmed evidence that the data has been used for fraud.
Still, CMS is acting out of caution by issuing new Medicare cards and launching a full investigation.
Also read: You could be owed money: AT&T customers may qualify for a major data breach settlement
Why it matters—even if you weren’t affected
Medicare plays a vital role in the lives of older adults, and a breach like this is understandably unsettling.
Even if you didn’t receive a letter, the incident is a wake-up call: cybercriminals are increasingly targeting health data because it can be harder to change and more valuable than a stolen credit card.
Information like diagnosis codes and plan details could potentially be used for fraudulent billing or identity theft—so staying vigilant is more important than ever.
Also read: You could be owed thousands from these data breach settlements—here’s how to claim it before time runs out
What to do if you received a letter from CMS
If you were notified by CMS, here’s what you should do:
- Wait for your new card – CMS will send you a new Medicare card with a new number. Once it arrives, destroy the old one and start using the replacement right away.
- Monitor your Medicare statements – Keep a close eye on your Explanation of Benefits (EOB) and any billing activity. If something doesn’t look right, report it immediately.
- Ignore suspicious calls or emails – Medicare will never call you to ask for your number or personal info. If someone does, hang up and call 1-800-MEDICARE.
- Consider a credit freeze – If you’re concerned about identity theft, you can contact the three major credit bureaus to freeze your credit, making it harder for someone to open accounts in your name.
Also read: Is your medical data safe? Millions may be at risk after major hospital cyberattack
Tips for staying protected in the future
Even if you weren’t impacted this time, it’s a good idea to brush up on some basic security practices:
- Use strong passwords – Make sure your Medicare.gov password is unique and secure.
- Enable two-factor authentication – This adds an extra layer of protection to your accounts.
- Shred old paperwork – Don’t toss medical documents or ID cards in the trash without shredding them first.
- Stay informed – Subscribe to Medicare alerts and pay attention to news about data breaches.
Also read: Mastercard's game-changing update: Why you won’t see a critical piece of information on your card anymore!
Why health data is a growing target
Healthcare information has become a top target for cybercriminals.
Unlike a bank account or credit card number, you can’t easily change your medical history or Social Security number.
In fact, the Department of Justice recently reported one of the largest healthcare fraud cases in history—nearly $15 billion in losses tied to misuse of medical data.
This kind of data breach isn’t just a bureaucratic issue—it’s a reminder that we all have a role to play in protecting our personal information.
While this news may be unsettling, it’s also a powerful reminder of how far a little caution can go.
Take the steps you need to protect yourself, stay informed, and remember—you have every right to feel secure in your healthcare and your identity.
Read next: Are your devices at risk? Experts warn ransomware attacks could surge as young hackers team up with Russian cybercriminals
Did you receive a letter from CMS? Are you worried about how your Medicare data is being handled? Have you experienced identity theft in the past and have advice for others?
We’d love to hear from you. Share your thoughts and questions in the comments below—your experience might help someone else stay ahead of a scam or avoid future risk.
