Allegheny health networks are facing new fines of more than $6 million after a data breach compromised data from nearly 150,000 Medicare Advantage beneficiaries.
The fines are the latest blow to the networks, which were already under pressure after the Centers for Medicare & Medicaid Services announced it would phase out Medicare Advantage enrollment starting next year, and which also were hit with additional fines last month over the improper use of data.
The network, the largest provider of Medicare Advantage services, said in a statement that the $6-million penalty was due to its “corporate failure to protect Medicare Advantage enrollees from the fraudulent data breach.”
The network said the fines would be paid out over two years and that it was working with the U.S. attorney’s office in Pittsburgh, where it also operates.
“We continue to be committed to the care of our Medicare Advantage patients,” said Wasp chief executive David Schramm in a news release.
“However, this is an opportunity to get things right for our customers and to work to prevent future incidents like this in the future.”
In January, the network was hit with a $1.8 million fine and the imposition of an 18-month probationary period.
It had been one of the first networks to report the data breach, and the network reported to the CMS last year that it had about 7 million beneficiaries enrolled in Medicare Advantage.
In response to the new fines, the Medicare Advantage Association of America (MACA) called for “a major overhaul” of Medicare plans.
The CMS said in January that the network’s data breach had compromised more than 50 million beneficiaries.
It was unclear whether the network had been able to notify the CMS or whether the CMS had taken the data breaches seriously enough to act on the information.
The hospital networks that had previously been hit with penalties for the same data breach were also hit with new fines.
Wanda Health Network, based in New York City, is one of eight networks in the nation that reported the breach.
The other four networks are in Pittsburgh; Chicago; New York; and Atlanta.
In January the CMS said the breaches were due to a “corrupt marketing scheme” and that the networks had not notified the CMS about the breach or made any attempt to protect themselves.
In a letter sent to MACA and other groups, the CMS noted that MACA has “repeatedly informed us of the scope and magnitude of the breaches and that we have been responsive in the past.”
The CMS has also told MACA that it has “a policy to notify CMS of breaches that impact Medicare Advantage members and their dependents.”
The breaches affected hospitals, doctors and other health care providers, and led to a series of investigations by the CMS and the Federal Trade Commission, the consumer watchdog.
In February, the networks said they had received a $4.5 million fine for a separate breach that impacted more than 1 million Medicare Advantage clients.
The $4 million fine came on top of $1 million already imposed for the Medicare Fraud Strike Force, which investigated Medicare Advantage fraud in the health care industry in 2013.
In May, MACA released a statement saying it was committed to fixing its data breach.
“The CMS has told us that we need to make changes and work to fix these problems,” said MACA CEO Jim Boudreau in a written statement.
“It is clear to us that our system is not secure enough to protect the millions of Medicare beneficiaries and their families that rely on our network for their health care.”
Medicare Advantage networks also reported a breach in May, after the CMS announced it was shutting down Medicare Advantage enrollments in the months of July and August.
The networks said in their statement that they were working with CMS and had “taken all necessary steps to ensure our network was secure.”
But in a recent interview, Wanda CEO Schrammi told the Associated Press that “we’re still working on that, we’re not done.”
Wanda is also among the networks to have had problems with Medicare Advantage contracts.
In November, the health systems’ contracts with the CMS expired.
Wasp said it had contracts with five different companies, but that all were terminated.
WAP, a network of eight hospitals in Pennsylvania, is in the midst of renegotiating its contracts with CMS.
The hospitals had also contracted with WAP in 2014 to help provide data to CMS to help with the investigation of Medicare fraud.
The health systems said it will no longer provide data in response to CMS inquiries.
WPA has not yet received any CMS inquiries, the Associated News reported.
In October, the Centers on Medicare & Medicaid Services said it was stepping up its oversight of Medicare and Medicaid networks.
CMS announced that it is taking additional steps to better protect the Medicare network from fraudulent or improper data breaches, including requiring all network members to notify and respond to inquiries by the Federal Deposit Insurance Corp. The new step comes as CMS continues to investigate Medicare Advantage data breaches in