Medicare Provider Database Exposes Social Security Numbers in Public Leak
A publicly accessible database used to populate a Medicare provider directory inadvertently exposed the Social Security numbers (SSNs) of U.S. healthcare providers. The directory, launched by the Centers for Medicare and Medicaid Services (CMS) as part of the Trump administration’s efforts to modernize Medicare, was designed to help seniors locate compatible doctors and medical providers.
The Washington Post discovered the exposure after downloading and reviewing the database, which was made available under CMS’s data transparency initiatives. CMS acknowledged that SSNs were mistakenly included due to incorrect data entries by providers or their representatives. The agency stated it had taken steps to address the issue and strengthen data validation protocols but did not disclose how many SSNs were exposed or whether affected providers had been notified. The database was removed after the Post alerted health officials.
One physician, speaking anonymously, expressed confusion over how Medicare officials obtained their SSN. The incident adds to prior criticisms of the modernization effort, which has faced issues such as mismatched insurance coverage. In November, Senators Jeff Merkley (D-Oregon) and Ron Wyden (D-Oregon) raised concerns in a letter to CMS, warning that rushed implementation could mislead seniors and result in unexpected medical bills.
Centers for Medicare and Medicaid Services TPRM report: https://www.rankiteo.com/company/centers-for-medicare-&-medicaid-services
"id": "cen1777710361",
"linkid": "centers-for-medicare-&-medicaid-services",
"type": "Breach",
"date": "5/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'U.S. healthcare providers',
'industry': 'Healthcare',
'location': 'United States',
'name': 'Centers for Medicare and Medicaid Services '
'(CMS)',
'size': 'Large',
'type': 'Government Agency'}],
'attack_vector': 'Misconfiguration',
'data_breach': {'personally_identifiable_information': 'Social Security '
'numbers (SSNs)',
'sensitivity_of_data': 'High (SSNs)',
'type_of_data_compromised': 'Personally Identifiable '
'Information (PII)'},
'description': 'A publicly accessible database used to populate a Medicare '
'provider directory inadvertently exposed the Social Security '
'numbers (SSNs) of U.S. healthcare providers. The directory '
'was designed to help seniors locate compatible doctors and '
'medical providers but mistakenly included SSNs due to '
'incorrect data entries.',
'impact': {'brand_reputation_impact': 'Potential reputational damage to CMS',
'data_compromised': 'Social Security numbers (SSNs)',
'identity_theft_risk': 'High',
'systems_affected': 'Medicare provider directory database'},
'lessons_learned': 'Need for stricter data validation and verification '
'protocols to prevent sensitive information from being '
'publicly exposed.',
'post_incident_analysis': {'corrective_actions': 'Database removal, '
'strengthened data '
'validation protocols',
'root_causes': 'Incorrect data entries by '
'providers or their '
'representatives, inadequate data '
'validation protocols'},
'recommendations': 'Implement automated data validation checks, conduct '
'regular audits of public databases, and ensure proper '
'notification of affected individuals.',
'references': [{'source': 'The Washington Post'}],
'response': {'containment_measures': 'Database removed from public access',
'remediation_measures': 'Strengthened data validation protocols'},
'title': 'Medicare Provider Database Exposes Social Security Numbers in '
'Public Leak',
'type': 'Data Exposure',
'vulnerability_exploited': 'Incorrect data validation protocols'}