The Centers for Medicare and Medicaid Services (CMS) inadvertently exposed Social Security numbers belonging to over 100 healthcare providers in a public database, according to multiple reports. The agency took its National Provider Directory offline after The Washington Post alerted officials to the security lapse.
The directory, designed to help seniors find healthcare professionals, contains information on more than 7 million providers. CMS attributed the error to providers mistakenly entering their Social Security data in the wrong field on submission forms.
“The agency has taken steps to address it promptly and reinforce safeguards around data submission and validation,” a CMS spokesperson told the Post.
This is not the first time the directory has faced scrutiny. Since its launch last year, the database has been plagued by inaccuracies, including misidentified healthcare plans under certain providers. The project is part of a broader push by Amy Gleason, acting administrator of the Department of Government Efficiency (DOGE), to improve public access to provider information.
Lawmakers Raise Alarms
Oregon Democratic Sens. Jeff Merkley and Ron Wyden voiced “deep concern” in a November letter to CMS Administrator Mehmet Oz about “erroneous, conflicting, and duplicative information” in the database. “While we appreciate CMS’s stated intent to help enrollees more easily navigate and choose a Medicare Advantage plan, we are concerned that this rushed rollout will mislead millions of seniors as they compare plans, and may cause seniors and people with disabilities to incur medical bills they reasonably believed would be covered,” the senators wrote.
Merkley, ranking member of the Senate Budget Committee, and Wyden, top Democrat on the Senate Finance Committee, have been vocal critics of the Trump administration’s data handling. The administration previously faced backlash after DOGE stored Social Security data in an unsecured cloud server, a move a whistleblower said put “over 300 million Americans” at risk of identity theft.
Wyden slammed that incident as “a clear example of how the Trump administration is playing fast and loose with Americans’ most sensitive personal information.” He added, “Trump and DOGE’s reckless treatment of Social Security data jeopardizes the financial security and personal safety of every single American.”
The latest breach adds to a growing list of data security concerns under the administration, as think tanks push proposals to cut Social Security benefits to avert insolvency. Meanwhile, the database’s rollout has been criticized as hasty, with lawmakers warning it could mislead seniors during open enrollment.
CMS has not commented on whether affected providers have been notified or if the directory will be restored with additional safeguards. The incident underscores ongoing tensions between efficiency initiatives and data protection in federal health programs.
