25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

CMS Found to Have Leaked Providers’ SSNs

Posted By on May 6, 2026

A database created by the Centers for Medicare and Medicaid Services (CMS) has been exposed online, exposing providers’ Social Security numbers. The database can be downloaded, as it was by reporters at the Washington Post. The CMS created a new directory last year to help seniors find healthcare providers covered by insurance plans. The directory lists doctors and other healthcare providers who accept certain insurance plans, in an effort to improve transparency and access to care.

The database created by the CMS to power the provider directory has been found to be leaking some sensitive data. The data that populated the directory was found to contain the Social Security numbers of certain providers, which were linked to their names and other identifying information. The database was publicly accessible for several weeks, and while not immediately visible to individuals who visit the provider directory, it was possible to download the database.

The reporters searched the database and identified dozens of Social Security numbers by reviewing just a sample of rows. The CMS has notified and responded, saying it is working on a fix to resolve the issue that led to the data exposure. “[The problem] stems from incorrect entries of provider or provider-representative-supplied information in the wrong places,” explained the CMS. “The agency has taken steps to address it promptly and reinforce safeguards around data submission and validation”.

The explanation suggests that the exposed Social Security numbers are included in the database due to providers entering Social Security numbers into incorrect fields. The CMS did not confirm how many individuals have had their Social Security numbers exposed. Critics suggest that the rollout of the directory was rushed and that the project did not have sufficient oversight. Initially, when the directory was launched, providers were associated with incorrect health plans, with some pages confirming that a provider was covered by an insurance plan, while other pages said they were out of network.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist