10,000 Medicare Beneficiaries Impacted by CMS Blue Button 2.0 Coding Bug

The Centers for Medicare and Medicaid Services (CMS) uncovered a bug within its Blue Button 2.0 API which affected 10,000 Medicare beneficiaries’ protected health information (PHI). For this reason, CMS for the time being suspended the use of its Blue Button API as investigations and detailed code analysis is in progress. There is no word yet when the Blue Button 2.0 service will be available.

On December 4, 2019, a third-party program partner informed CMS concerning the data anomaly connected to the Blue Button API. The CMS confirmed the data problem and quickly stopped system access while looking into the problem.

The anomaly was due to a coding bug that allowed the sharing of data with the incorrect beneficiaries and Blue Button 2.0 apps. The CMS stated that the bug impacted 30 applications. Medicare beneficiaries utilize the Blue Button platform for permitting third-party apps and services to access their claims data. A CMS identity management system creates a random unique user ID and ensures sharing the correct beneficiary claims data with the appropriate third-party apps. The CMS discovered a coding bug in the Blue Button 2.0 that transforms a 128-bit user ID to a 96-bit user ID. Because a 96-bit user ID lacks randomness, a number of beneficiaries got similar truncated user IDs. That led to the disclosure of the claims information of beneficiaries with identical truncated user ID found within the identity management system to other beneficiaries and applications via the Blue Button 2.0.

Initially, it wasn’t clear how the bug began and why it was not quickly identified to stop sensitive beneficiary information exposure.

There are three things to realize from the investigation findings related to testing, code reviews, and cross-team collaboration.

Based on the CMS investigation findings, the bug came about on January 11, 2018. Usually, the changes introduced are thoroughly reviewed, but there was no detailed review in January. If perhaps a review was done, CMS most likely discovered the bug and remedied it prior to the sharing of sensitive data.

The CMS inspects Blue Button 2.0 using synthetic data to validate functionality to make sure no PHI is jeopardized. This time, integrating Blue Button 2.0 with other programs was not inspected. Subsequently, it was integrated into the identity management system without testing.

The CMS notes that a distinct identity management team works on the code that generates the user ID token. The Blue Button 2.0 team supposed that the token functioned well, and failed to validate it. Perhaps if the two teams had good collaboration, they would have the essential details to make good decisions.

CMS by now had taken the measures to do away with more errors. An improved check and verification process is right now ready and the Blue Button 2.0 team is thoroughly checking all new codes to ensure identification and correction of coding errors before having the live code changes. The Blue Button 2.0 from now on will not truncate user IDs and keep the complete user IDs.

An overall platform and coding review is being done and the API will remain unavailable until the review is done. CMS is likewise doing a comprehensive evaluation to know the likely effect on Medicare beneficiaries and decide the other essential steps to secure the beneficiaries’ data, including providing credit monitoring services.