Contributed by Lee Kim, Esq.



CMS has reported that it had 14 breaches of protected health information between September 23, 2009, and December 31, 2011. CMS notified the 13,775 Medicare beneficiaries affected by the breaches.  However, according to the Office of Inspector General of HHS (OIG), it did not meet several ARRA requirements.  

Such breaches can lead to identity theft.  In response to this risk, a compromised number database has been developed by CMS.


The OIG has made several recommendations to CMS to ensure that its breach notifications meet the ARRA requirements, improve the compromised number database, provide guidance to contractors about using database information and implementing edits, and developing methods to ensure that beneficiaries who are victims of medical identity theft retain access to needed services and to reissue identification numbers to beneficiaries affected by medical identity theft.

OIG’s complete report can be found here: