TL;DR: Two 2025 headlines raised the baseline risk: (1) the Change Healthcare breach was updated to about 192.7M impacted individuals, and (2) unauthorized Medicare.gov accounts were created for some beneficiaries. Coach clients on red flags, tighten your own office SOPs, and know exactly where to report.
What’s new & worth mentioning to clients
- Largest health-data breach on record: HHS says Change Healthcare now pegs the impact at ~192.7M individuals. Clients may see more phishing that “sounds” like their pharmacy/doctor. Remind them: never share MBIs over the phone or via links.
- Medicare.gov account incident (2025): CMS found some Medicare.gov accounts were fraudulently created using real beneficiary info. If a client got a CMS letter, help them secure the account and monitor claims.
Current scam patterns to warn clients about
- “New/updated Medicare card” calls or texts asking for an MBI, SSN, or payment. (Real Medicare doesn’t call people out of the blue to collect numbers or fees.)
- “Flex card” hype (free grocery/utility cards). Only some MA plans offer limited prepaid benefits; Medicare itself doesn’t hand out flex cards. Verify benefits with the actual plan—ignore cold calls/ads.
- Pop-up “free genetic/cancer test” offers harvesting MBIs to bill unnecessary tests. Coverage requires a clinician’s order for medical need.
What to say (client-ready script)
“If you get a surprise call, text, or ad about your Medicare card, a ‘flex card,’ or a free test—don’t share your Medicare number. Hang up or close the page. Call me or 1-800-MEDICARE using the number on your card. We’ll verify what’s real.”
If a client was targeted or data may be exposed: your quick checklist
- Lock down access: Help them set/refresh a strong Medicare.gov password and confirm contact info.
- Review claims: Scan the MSN/EOB for unknown services or providers; keep notes of anything odd.
- Report promptly:
- 1-800-MEDICARE or Medicare’s online fraud form (primary).
- I-MEDIC (Part C/D): 1-877-7SAFERX.
- Office of Inspector General Hotline for suspected fraud: 1-800-447-8477.
- Consider a new Medicare number: If an MBI is compromised, CMS can issue a new one on request via 1-800-MEDICARE.
Broker office SOP (copy/paste into your internal playbook)
- Never ask clients to email or text their MBI/SSN. Use phone, portal, or encrypted forms only.
- Verify inbound calls before discussing PHI/PII (call back using a known number).
- Document incidents (date, caller ID, script, any link/URL).
- Refresh staff training each January with FTC’s latest scam patterns and sample talking points.
Client-facing templates
Email (paste into your CRM):
Subject: Quick Medicare security check for 2026
Hi [Name],
Because of recent national data incidents and ongoing Medicare impersonator scams, here’s the rule of thumb: if a call, text, or ad asks for your Medicare number, hang up/close it and call me or 1-800-MEDICARE at the number on your card. We can also review your Medicare Summary Notice together and report anything suspicious to Medicare or I-MEDIC (1-877-7SAFERX). If your number was exposed, Medicare can issue a new MBI.
– [Broker Name], [Phone/Email]
60-second voicemail:
“Hi [Name], it’s [Broker]. Quick security reminder: Medicare will not call to ask for your number or sell you a ‘flex card.’ If you get a call like that, hang up and call me or 1-800-MEDICARE. We’ll also check your January statements and report anything odd to I-MEDIC for drug/plan issues. Talk soon!”