As a result of a May 2023 data breach, almost one million beneficiaries are receiving a new Medicare Beneficiary Identifier (MBI) and Medicare card. This change has the potential to cause disruptions to your clients’ health care coverage and enrollment applications.
Read on to familiarize yourself with this recent news and learn how you can help your clients navigate this adjustment and enrollments.
What Happened?
Between May 27, 2023, and May 31, 2023, Wisconsin Physicians Service Insurance Corporation (WPS) experienced a data breach, where some Medicare beneficiaries’ protected health information or other personally identifiable information (PII) may have been compromised. WPS is a contractor for the Centers for Medicare & Medicaid Services (CMS) that handles Medicare Part A and B claims and related services. Third-party software used by the corporation to transfer files, MOVEit, experienced the cybersecurity incident.
The following personal information may have been involved:
- Name
- Social Security Number or Individual Taxpayer Identification Number
- Date of Birth
- Mailing Address
- Gender
- Hospital Account Number
- Dates of Service
- Medicare Beneficiary Identifier (MBI) and/or Health Insurance Claim Number
On July 8, 2024, WPS notified CMS of the data breach, resulting in action taken to issue new MBIs and Medicare cards to affected beneficiaries.
Which Medicare Beneficiaries Will Be Affected?
According to CMS, there may have been unauthorized access to the personal information of 946,801 Medicare beneficiaries associated with the WPS May 2023 data breach.
Despite their name, WPS does not work within Wisconsin. They process Medicare claims for several U.S. states, including Indiana, Iowa, Kansas, Michigan, Missouri, and Nebraska.* Beneficiaries who live elsewhere could be affected if they used providers in those states.
WPS processes Medicare claims for several U.S. states, and beneficiaries who live elsewhere could be affected if they visited providers in those states.
Every beneficiary whose data may have been compromised will receive a letter in the mail explaining the situation and informing them of the new MBI number and Medicare card coming their way.
*In 2007, WPS was awarded a Medicare Jurisdiction 5 contract for Iowa, Kansas, Missouri, and Nebraska. In 2011, WPS was awarded a Medicare Jurisdiction 8 contract for Indiana and Michigan.
Timeline for New MBIs in 2024
Throughout October 2024, CMS has been processing the MBI number reassignments. The effective dates for the new MBIs will vary; the notification letter includes the date the new numbers will take effect. Your clients should start using their new MBI as soon as they receive it.
Possible Impact of MBI Changes
Changes to MBIs can be confusing for clients, agents, providers, and others. It’s important for your client to be aware of their new MBI when applying for different health coverage and seeking care from their providers.
Insurance applications and claims can be denied due to outdated MBI numbers, and these inconsistencies can cause added strain on everyone, including providers’ staff. Claim processing and eligibility reverification could take longer, possibly resulting in delays.
You could receive calls from clients if they are notified that their health care services were not covered by their Medicare plan or their insurance application was denied. If this should happen, reassure your clients that you’re there for them and provide your support to get to the bottom of the issue.
If an enrollment application is submitted using an old MBI, the application could be placed on hold until the new MBI can be provided. Some carriers may try to validate old MBIs through Medicare, but if they are unable to do so, your client will likely be notified by the carrier and asked to produce their new number by a certain date. If the deadline to respond passes, the enrollment could be denied.
Next Steps for Agents
Ask your clients if they’ve received a letter from CMS about the data breach or a new MBI or Medicare card in the mail. It’s imperative that they take the necessary next steps outlined by CMS. Once beneficiaries receive their new card, CMS has instructed them to:
- Follow the instructions in the letter that comes with the new card
- Destroy the old Medicare card
- Inform their providers of their new Medicare number
As mentioned, new MBIs need to be used on enrollment applications to minimize delays in processing enrollments. For some carriers, like Aetna, CMS will provide the updated MBIs of current members, so no action will be required of the beneficiary to inform the carrier. However, it’s good practice to never assume things will be automatically taken care of when changes like this occur. We recommend you encourage your clients to be proactive in managing their coverage and support them in doing so.
Specifically, regarding the leak of your client’s personal information, WPS is offering a complimentary 12-months credit monitoring service from Experian. Additionally, under federal law, U.S. citizens can request one free credit report from each of the three major credit reporting companies — Equifax, Experian, and TransUnion — every 12 months. Make sure your affected clients know of these services available to them. It’s nerve-wracking to know your individual details are in the hands of hackers. Hopefully these safeguards can provide a little peace of mind to your clients who are rightfully feeling anxious.
Data breaches are an unfortunate reality today. CMS and WPS are doing what they can to rectify the situation, and you can help spread the word. Make sure your impacted clients are informed of the incident and know what to do when they receive their new MBI number and Medicare card.
As always, Ritter is here for you. We’ll keep you updated on any new developments regarding this incident. If you’re not already partnered with us, complete your free registration today and gain our full support and service!
Not affiliated with or endorsed by Medicare or any government agency.
Share Post