More than 100,000 individuals may have been impacted by a "data incident" where unauthorized Medicare beneficiary accounts were made using their information.
The Centers for Medicare & Medicaid Services (CMS) said it's mailing out notifications to about 103,000 people about the suspicious account activity. The agency said the data used to create these accounts were "personal information obtained from unknown external sources."
The CMS said it began receiving calls May 2 about letters regarding Medicare.gov accounts that they did not create. After an investigation, the agency determined that "malicious actors" had fraudulently created the accounts between 2023 and 2025.
The accounts were created using valid information about the beneficiaries, including coverage start date, last names, dates of birth, ZIP codes and Medicare Beneficiary Identifiers.
The CMS said it quickly deactivated the suspicious accounts and then determined the scope of the impact. It said in the announcement that it is not aware of "any reports of identity fraud or misuse of the information as a direct result of this activity."
The agency also has disabled the ability for foreign IP addresses to create Medicare.gov accounts and will monitor claims data for fraudulent activity. For the people impacted, it's changing out their beneficiary numbers.
Data that may have been accessed using these false accounts include provider information, mailing addresses, diagnosis codes, dates of service, services rendered and plan premium information.
"The safeguarding and security of personally identifiable information is of the utmost importance to CMS," the agency said. "CMS is working closely with appropriate parties to investigate this situation."