The Centers for Medicare and Medicaid Services (CMS) accidentally published Social Security numbers belonging to at least 100 healthcare providers in a public online directory, according to multiple news reports. The agency took down its National Provider Directory after The Washington Post alerted officials to the security lapse.
The directory, designed to help seniors find healthcare professionals, contains data on more than 7 million providers. CMS removed the page after the Post flagged the exposure, which stemmed from providers mistakenly entering their Social Security information in the wrong field on the submission form, a CMS spokesperson told the newspaper.
“The agency has taken steps to address it promptly and reinforce safeguards around data submission and validation,” CMS said in a statement to the Post. The Hill has reached out to CMS for additional comment.
This is not the first time the directory has faced scrutiny. Since its launch last year, the database has been plagued by errors, including misidentifying the healthcare plans covered under certain providers. The project is part of a broader initiative led by Amy Gleason, acting administrator of the Department of Government Efficiency (DOGE), to improve public access to provider information.
Oregon Democratic Senators Jeff Merkley and Ron Wyden wrote to CMS Administrator Mehmet Oz in November, expressing deep concern over reports of “erroneous, conflicting, and duplicative information” in the database. “While we appreciate CMS’s stated intent to help enrollees more easily navigate and choose a Medicare Advantage plan, we are concerned that this rushed rollout will mislead millions of seniors as they compare plans, and may cause seniors and people with disabilities to incur medical bills they reasonably believed would be covered,” the senators wrote. Merkley serves as the ranking member on the Senate Budget Committee, and Wyden is the top Democrat on the Senate Finance Committee.
The Trump administration has previously faced backlash over data security. Earlier, DOGE reportedly stored Social Security data in an unsecured cloud server, a move a whistleblower at the Social Security Administration said put “over 300 million Americans” at greater risk of identity theft. Wyden called that incident “a clear example of how the Trump administration is playing fast and loose with Americans’ most sensitive personal information.”
“Trump and DOGE’s reckless treatment of Social Security data jeopardizes the financial security and personal safety of every single American,” Wyden said in a statement last summer.
This latest CMS data blunder exposing Social Security numbers adds to a pattern of security lapses under the current administration, raising questions about the handling of sensitive data in federal health programs. The incident also comes amid broader debates over Social Security solvency and potential benefit cuts pushed by some think tanks.
