On December 14, 2022, the Centers for Medicare & Medicaid Services (“CMS”), the federal agency that manages the Medicare program, posted a press release related to a data breach suffered by a CMS subcontractor.  According to the notice, on October 8, 2022, a CMS subcontractor (Healthcare Management Solutions (“HMS”)) suffered a ransomware attack on its corporate network.  According to CMS, “HMS handles CMS data as part of processing Medicare eligibility and entitlement records, in addition to premium payments.”  On October 9, 2022, CMS was informed that HMS suffered a cybersecurity incident.  On October 18, 2022, CMS had high confidence that the incident involving HMS potentially included personally identifiable information (“PII”) and protect health information (“PHI”) of Medicare beneficiaries.  The incident potentially affected up to 254,000 Medicare beneficiaries. Avoiding ambiguity, CMS noted that its systems were not breached and based on initial information, HMS may have violated its obligations to CMS. 

CMS’s press release is a harsh reminder that any entity (including a federal government agency) can be affected, directly or indirectly, by a cyber incident.  CMS’s situation involves a subcontractor who possibly did not comply with its obligations to CMS, according to CMS.  A similar situation often occurs with private entities too.  Individuals and business handling PII or PHI must ensure their internal processes comply with federal and state rules.  These entities should also ensure their agreements with their contractors require specific levels of security, training, and other preventive measures to ensure the entity is protected.  Similarly, agreements with contractors should include provisions making sure the contractor requires its subcontractors to also implement entity-approved levels of security, training, and other preventive measures.  Merely requiring these measures may not effectively reduce the likelihood of a data breach if the contractors or subcontractors do not put the measures into practice.  Therefore, entities should receive documented assurances of implementation and verify implementation. 

Breach responses can be expensive, and more insurance carriers are requiring certain technological preventive measures for coverage.  When bargaining power exists and where necessary, entities should include provisions in their contracts requiring adequate insurance coverage for cyber incidents that covers breach response, government investigations, and business losses suffered by the entity (not just the contractor or subcontractor).  Indemnification clauses should not be an afterthought.  

Professionals responding to data breaches should consider studying CMS’s press release for concepts that can be included into future data breach notices and press releases. Though not guaranteed, we hope that HHS’s Office of Civil Rights and other government agencies will look favorably on notices and press releases that have elements found in the federal government’s own notice.  Below are a few considerations and reminders in CMS’s press release for professionals handling cyber incidents.

  • Detailed explanation of the services the affected subcontractor provides to CMS.
  • Inclusion of personally identifiable information (PII), which is broader than PHI.  PII is becoming a more common standard with various privacy rules and regulations that go beyond the health care industry. 
  • A clear list of information possibly exposed.
  • A clear statement of what information was not exposed.
  • A clear list of tasks the potential victims can take to protect themselves, not merely a paragraph of protective legal jargon.
  • A sample of the Notice letter included in the online press release.
  • Verbiage that informs the public and serves as a public relations tool.  For example, note how CMS identifies the number of potentially affected individuals (required) and includes more information (not required) possibly to reduce the sting of the required information: “the potential to impact up to 254,000 Medicare beneficiaries’ personally identifiable information out of the over 64 million beneficiaries that CMS serves.”  Another example is to include, where possible, direct quotes from senior leadership about the incident.

The attorneys at Chilivis Grubman represent clients of all sizes in connection with data breaches and cybersecurity matters, including regulatory obligations and litigation arising therefrom.  If you need assistance with such a matter, please contact us today.