Medicare data breach exposes 100,000 Americans' info

The Centers for Medicare & Medicaid Services (CMS) sent letters this week to those affected, confirming that hackers accessed sensitive data linked to Medicare.gov accounts.

Sign up for my FREE CyberGuy ReportGet my best tech tips, urgent security alerts and exclusive deals delivered straight to your inbox. Plus, you'll get instant access to my Ultimate Scam Survival Guide - free when you join my CYBERGUY.COM/NEWSLETTER

The breach traces back to suspicious activity starting in late 2023. According to CMS, cybercriminals used stolen personal data from external sources to fraudulently create Medicare.gov accounts.

That information included:

CMS began receiving alerts in May 2025 when people reported receiving account confirmation letters for accounts they had not created. This triggered an internal investigation. Hackers not only created unauthorized accounts but, in some cases, accessed additional sensitive data such as:

If you're one of the people affected by the Medicare data breach:

CMS is still investigating how the attackers obtained such accurate personal data and whether more individuals may be at risk.

Here are five important steps you can take right now to protect your Medicare information and reduce your risk of identity theft after the breach.

Regularly check your Medicare and healthcare accounts for changes you did not make. Be cautious of unfamiliar services, charges or communications from providers you don't recognize.

In light of the Medicare data breach, where bad actors used valid personal details to create fake accounts, enrolling in a trusted identity theft protection service can offer an extra layer of defense. These services monitor your Social Security number, email, phone number and other sensitive data to alert you if it's being sold on the dark web or used to open fraudulent accounts.

Many top-rated services also help you freeze your credit and bank accounts and offer expert support if your identity is compromised. My top pick includes up to $1 million in identity theft insurance to cover stolen funds and legal fees, plus access to a U.S.-based fraud resolution team that helps you recover faster.

See my tips and best picks on how to protect yourself from identity theft at Cyberguy.com/IdentityTheft  

Never share your Medicare number or card details with anyone over the phone or email, unless you initiated the contact and trust the source. Treat it like a credit card.

If you believe your information is being misused, remove it from the internet. A personal data removal service can help you remove all this personal information from the internet. It has a very clean interface and will scan 195 websites for your information and remove it and keep it removed.

If you notice suspicious activity, report it directly by calling 1-800-MEDICARE (1-800-633-4227) to report Medicare fraud. Also, file a report at IdentityTheft.gov to create a recovery plan with the Federal Trade Commission (FTC). This not only helps you recover faster but also contributes to broader investigations that protect others.

This Medicare breach may not have resulted in confirmed cases of identity theft so far, but that does not mean the situation should be taken lightly or dismissed as low risk. It took malicious actors less than two years to create over 100,000 fake Medicare accounts using valid personal information, which suggests a significant weakness in how sensitive data is being protected and monitored at the federal level.

Do you think healthcare organizations are doing enough to protect your data? Let us know by writing us at Cyberguy.com/Contact

Sign up for my FREE CyberGuy ReportGet my best tech tips, urgent security alerts and exclusive deals delivered straight to your inbox. Plus, you'll get instant access to my Ultimate Scam Survival Guide - free when you join my CYBERGUY.COM/NEWSLETTER

Copyright 2025 CyberGuy.com.  All rights reserved.