The Centers for Medicare and Medicaid Services notified 13,775 Medicare beneficiaries that their health records were compromised but it still missed several notification requirements, the Health and Human Services inspector general has found.
It said that while CMS made progress in responding to medical identity theft by developing a compromised number database for contractors, the database’s usefulness could be improved.
Further, contractors do not consistently develop edits to stop payments on compromised numbers, and while CMS offers some remedies to providers, it offers fewer to beneficiaries affected by medical identity theft, the IG said.
It said CMS agreed with recommendations to ensure that breach notifications meet Recovery Act requirements, improve its compromised number database, provide guidance to contractors about using database information and implementing edits, and to develop a method for reissuing identification numbers to beneficiaries affected by medical identity theft.
