In a report released on April 5, 2018, the Government Accountability Office (GAO) concluded that the Centers for Medicare and Medicaid Services (CMS) has not done enough to adequately protect the electronic data of Medicare beneficiaries.  There are over 59 million Medicare beneficiaries and beneficiary information contains some of the most sensitive personal information, making it very attractive to criminals.  Therefore, CMS’s protection of that data is critically important.

In its report, the GAO identified two failures regarding external entities with access to Medicare beneficiary data. First, it found that CMS failed to develop guidance for researchers on assessing security risks and implementing controls to address identified risks.  Researchers are one of three external groups with access to Medicare beneficiary information.  The other two groups are Medicare contractors and qualified entities (qualified entities receive data under the Affordable Care Act to evaluate the performance of providers and suppliers).  CMS has guidance for these two groups.  Without providing researchers with guidance, CMS leaves them to their own devices to determine risk and implement security measures.

Second, the GAO concluded that CMS does not have an oversight program to ensure that researchers and qualified entities have implemented adequate security measures. CMS has an oversight program for Medicare contractors.  Without the oversight program, CMS cannot confirm that researchers and qualified entities are adequately protecting Medicare beneficiary data.

In light of these findings, CMS may look to extend its existing guidance and oversight programs to ensure that all external groups with access to Medicare beneficiary data are covered.