For weeks, a behind the scenes dataset that helps power the federal Medicare provider directory sat on a public server with health care providers’ Social Security numbers tucked inside. Only after the files were taken offline did many clinicians realize that some of their most sensitive personal information had been exposed outside internal systems.
How reporters found the files
The Washington Post downloaded the files and reported finding dozens of unredacted Social Security numbers tied to providers’ names in a dataset used to populate the new Medicare portal. According to the paper, those backend files were part of the Centers for Medicare and Medicaid Services’ public data releases and did not show up through the directory’s standard search tool.
Numbers and the takedown
Local station WATN TV reports that Politico examined one of the downloadable files and found full, unredacted Social Security numbers for at least 102 providers. The station also reported that CMS removed the National Provider Directory after the issue was flagged and that the files had been accessible for multiple weeks before being pulled, per LocalMemphis.
What CMS says
CMS said the problem “stems from incorrect entries of provider or provider representative supplied information in the wrong places” and that the agency “has taken steps to address it promptly and reinforce safeguards around data submission and validation,” according to a spokesperson quoted by The Washington Post. Industry coverage notes that the Post flagged the dataset to CMS on April 28 and that the files were taken down after the agency was alerted, with Becker’s Hospital Review providing additional context on the fallout.
What affected providers can do
Providers who believe their information may have been exposed are being urged to follow federal identity theft guidance: file an identity theft report, consider placing a fraud alert or security freeze with the major credit bureaus, and closely monitor financial and tax records. The Federal Trade Commission’s identity theft resources, including the interactive recovery plan at IdentityTheft.gov, lay out specific next steps and the paperwork needed to dispute fraudulent accounts, per the FTC.
Why it matters and what comes next
The directory is the first step in a broader national provider list that federal officials say will help beneficiaries compare in network doctors, with a beta launch scheduled for later this year. The exposure, though, highlights the risks that come with pushing large administrative datasets into public feeds. Becker’s Hospital Review and other coverage report that Democrats and provider groups are sounding alarms about the pace of the rollout and are pressing CMS for details on safeguards, notification to affected providers, and what will change before the next round of data goes live.
