Medicare.gov accounts were created without consent using stolen personal data from external sources, triggering a federal investigation.
The Centers for Medicare and Medicaid Services (CMS) has begun notifying approximately 103,000 Medicare beneficiaries that unauthorized accounts were created in their names on Medicare.gov. CMS was first alerted on May 2, 2025, after its call center began receiving inquiries from individuals who received letters confirming account creation despite never initiating the process themselves.
A subsequent investigation confirmed that an unknown threat actor used valid personal information to create these fraudulent accounts, including Medicare beneficiary identifiers (MBIs), birth dates, ZIP codes, and coverage start dates. The fraudulent activity occurred between 2023 and 2025.
CMS believes the data used to create the accounts was obtained from an external third-party breach. Once an account was created, the unauthorized party could access additional data, such as:
While there is currently no evidence that this information has been misused, CMS took several precautionary steps. These included deactivating the fraudulent accounts, issuing new MBIs to affected individuals, and mailing replacement Medicare cards.
CMS stated that the breach did not originate from within Medicare’s systems but stemmed from outside data sources. To further mitigate the risk of repeat incidents, the agency has blocked account creation from foreign IP addresses and is actively monitoring claims data for suspicious activity.
Beneficiaries are being encouraged to regularly review their Medicare Summary Notices and Explanation of Benefits. Any unfamiliar services or charges should be reported promptly.
The incident shows how breached data from unrelated sources can be reused to exploit systems that were not directly compromised. In this case, personal information exposed elsewhere was used to access Medicare.gov accounts, raising concerns about how identity checks can be bypassed using known data points. The CMS response, which included issuing new identifiers and monitoring foreign access, points to a shift in breach response strategies as misuse of external breach data becomes more common.
Affected individuals will receive a notification letter from CMS and a new Medicare card. Anyone uncertain can also call Medicare’s helpline to confirm their status.
The Medicare Beneficiary Identifier (MBI) is a unique number used to process claims. It is being replaced to prevent continued access using the old, compromised ID.
Beneficiaries should contact Medicare directly to report suspicious claims or charges and request a fraud investigation.
While blocking foreign IPs limits some unauthorized access, it cannot prevent attacks using domestic proxies or stolen credentials. It is one part of a broader defense strategy.
Third-party breaches often expose data that can later be reused in unrelated systems, enabling fraudulent activity like unauthorized account creation or identity theft.