Oregon’s two U.S. senators want answers from the Trump administration over its recent release of Social Security numbers and other personal information of health care providers on a public website.
The release was exposed early this month by The Washington Post during a review of the administration’s new online directory of health care doctors and other providers. The Post downloaded the database and — in reviewing just a sample — discovered it contained dozens of Social Security numbers that were linked to provider names and other identifying information.
Sens. Jeff Merkley and Ron Wyden want to know how that happened and what the federal Centers for Medicare and Medicaid Services, which oversees those nationwide health plans, has done to protect them from identity theft and other potential crimes.
In a draft of the letter shared with The Lund Report, the senators ask the head of CMS to answer 15 detailed questions about how the release happened, who was involved, who was affected and what’s being done to make amends.
“The harm to affected providers and to program integrity cannot be undone,” they write. “We view this as part of a broader and deeply troubling pattern.”
This is not the first time that the Trump administration has released personal information. Several Democratic members of Congress have complained about the release of the names of victims of Jeffrey Epstein in files released by the U.S. Justice Department. And earlier last year, whistleblowers said that the Department of Government Efficiency, or DOGE, which fired masses of people under the direction of billionaire Elon Musk, unlawfully accessed private information.
“This administration has repeatedly mishandled sensitive personal data entrusted to the federal government and has repeatedly resisted congressional oversight when those failures come to light,” said Merkley and Wyden, the top or ranking Democratic members of the Senate Budget and Finance committees.
CMS officials did not immediately respond to a request from The Lund Report for comment.
The Trump administration has demanded data from state Medicaid agencies for use in immigration enforcement — a move that some federal Medicaid officials considered unethical and potentially unlawful.
Four top Democrats in the U.S. House, ranking members of the subcommittees on health, Social Security, oversight and Ways and Means, have also written to the heads of CMS and the Department of Health and Human Services about the leak.
“The mere fact that this sensitive information was sitting on a public website for an unknown period of time raises significant concerns about identity theft for the providers,” Reps. Robert Neal of Massachusetts, Lloyd Doggett of Texas, John Larson of Connecticut and Terri Sweell of Alabama said in their letter dated May 11.
Last October, the four representatives also wrote to the Trump administration over the “flawed rollout” of the provider directory for people looking to renew or sign up for a Medicare Advantage Plan. The directory, which was supposed to help beneficiaries identify plans affiliated with their providers, was full of errors.
CMS has promised to publish a comprehensive provider directory to help the public. The provider update to the Medicare plan finder in October was supposed to help people during the special enrollment period between mid-October and early December pick the best Medicare Advantage plan. They’re managed by private companies and have faced widespread criticism of putting profits before patient care, with restrictive provider networks, prior authorization requirements, deceptive marketing and overbilling the federal government.
The update was rife with errors and conflicting information, the Washington Post first reported. It found duplicative addresses for providers and listings that included them both in-network and out-of-network, undercutting the directory’s purpose.
Those revelations spurred the same representatives and senators to first write to CMS about the update, expressing concern that inaccurate, incomplete and contradictory information would hurt the nearly 34 million Americans enrolled in a Medicare plan.
Already, the process of picking a plan is a confusing and time-consuming process, they said, leading to many failing to select the cheapest and most generous option. Those with lower cognitive ability often stick with suboptimal coverage once enrolled, they said, leading to higher and unnecessary spending.
“The sloppiness of CMS’s new provider-directory tool makes these challenges only that much worse,” they said in their Nov. 4 letter to Dr. Mehmet Oz, the CMS administrator.
Numerous questions
The senators — and four representatives who wrote a similar letter to CMS — decried the agency’s “rushed deployment” and “flawed rollout” of the directory and asked a series of questions. They wanted to know who was behind the early rollout, the role of a key vendor and why the agency had notified insurers and not Medicare members that they’d have a special enrollment period extending into 2026 to change plans if misinformation in the directory had caused them to make a poor choice.
In its response to Merkley and Wyden in a letter in March, Oz said the directory underwent “multiple rounds of testing” before going live but found out the next day it had errors.
Oz said the agency — not the vendor SunFire — was at fault and that CMS paid SunFire $50,000 for a year of service.
Oz indicated that CMS does not check the data but that it is provided directly by the insurers and is managed by them.
“CMS will only be made aware of specific provider errors if someone with Medicare reaches out to 1-800-MEDICARE to report an accuracy issue,” Oz wrote.
He said Medicare warns beneficiaries that information in the directory may not be correct by telling them to check directly with providers about their insurance status.
In their new letter, Wyden and Merkley want to know how the leak of private provider information happened and what the agency is doing about it.
“CMS failed to detect this exposure for weeks and learned of it only when reporters made inquiries,” Merkley and Wyden write. “This is precisely the category of data that bad actors have long used to perpetuate identity theft, and the harm to affected providers and to program integrity cannot be undone.”
They ask if the full extent of the leak has been determined, how many providers were affected, why Social Security numbers were there in the first place and whether every provider has been notified.
They also question whether CMS has determined whether any unauthorized parties have accessed the information.
They pose several questions about how the leak happened, demanding to know the names of all political appointees and other individuals involved in designing, developing and overseeing the database, and they specifically ask about the involvement of people affiliated with DOGE. Musk stepped away from DOGE, and by November it was disbanded, Reuters reported, adding that some former members are scattered around the administration.
The senators also CMS has offered the affected providers identity protection and whether the agency plans to pause its work on publishing a comprehensive provider directory pending a review and a referral to the inspector general.
They give Oz until June 3 to respond.
