25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

CMS Blue Button 2.0 Coding Bug Exposed PHI of 10,000 Medicare Beneficiaries

Posted By on Dec 19, 2019

The Centers for Medicare and Medicaid Services (CMS) has discovered a bug in its Blue Button 2.0 API exposed the protected health information of around 10,000 Medicare beneficiaries. Access to the Blue Button API has been temporarily suspended while the CMS completes a comprehensive code review. The CMS has not produced a timeline for when the Blue Button 2.0 service will be resumed.

On December 4, 2019, the CMS was alerted to a data anomaly with the Blue Button API by a third-party application partner. The CMS confirmed the data anomaly and immediately suspended access to the production environment while the matter was investigated.

The CMS determined the anomaly was due to a coding bug. That bug potentially allowed data to be shared with incorrect Blue Button 2.0 applications and the wrong beneficiaries. The CMS determined 30 applications have been impacted by the bug.

The Blue Button platform is used by Medicare beneficiaries to authorize third-party applications, services, and research programs to access their claims data. A CMS identity management system verifies user credentials through a randomly generated unique user ID, which ensures the correct beneficiary claims data is shared with the correct third-party applications.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

The CMS discovered a coding bug was causing Blue Button 2.0 to truncate a 128-bit user ID to a 96-bit user ID.  A 96-bit user ID is not sufficiently random and, as a result, the same truncated user ID was assigned to different beneficiaries. That meant that some of the beneficiaries with the same truncated user ID in the identity management system had their claims data passed to other users and applications via Blue Button 2.0.

The error and why it resulted in the impermissible disclosure of claims data are perfectly understood, what was not initially clear was how the bug was introduced and why it was not found in time to prevent the exposure and disclosure of sensitive beneficiary data.

There are three takeaways from the initial findings of the investigation related to code reviews, testing, and cross team collaboration.

The CMS investigation found the bug was introduced on January 11, 2018. When changes are made, there is usually a comprehensive review of the changes, but in January a comprehensive review was not completed. If the review had occurred, the bug could have been identified and corrected before any sensitive information was disclosed.

The CMS tests Blue Button 2.0 using synthetic data to verify functionality. This ensures that no personal health information is put at risk. Integration of Blue Button 2.0 with other systems is not tested in order to protect personal health information. Consequently, integration with the identity management system was not tested.

The CMS notes that the code that generates the user ID token is run by a separate identity management team. The Blue Button 2.0 team made assumptions about how the token worked, and they were not validated. If there was better collaboration between enterprise teams, the necessary information would have been present in decision making.

Steps have now been taken to prevent further errors from occurring in the future. An enhanced quality review and validation process has now been implemented and the Blue Button 2.0 team will be performing comprehensive reviews of all new code to ensure that any coding errors are identified and corrected before the code changes go live and Blue Button 2.0 will now store full user IDs instead of truncated IDs.

A full review of the platform is now being conducted and the API will remain suspended until that coding review has been completed.

An in-depth analysis will also be conducted to determine the potential impact on affected beneficiaries. Decisions will then be made about what other steps are required to protect affected beneficiaries, such as the provision of credit monitoring services.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist