Merkley, Wyden Demand Oz Detail How Health Care Providers’ Personal Information, Including Social Security Numbers, Were Published to Public Portal

Merkley, Wyden Demand Oz Detail How Health Care Providers’ Personal Information, Including Social Security Numbers, Were Published to Public Portal May 21, 2026 Merkley and Wyden Previously Called on CMS for Answers Surrounding the Disastrous Roll Out of the Medicare Advantage Provider Directory Portal Washington, D.C. – Oregon’s U.S. Senators Jeff Merkley, Ranking Member of the Senate Budget Committee, and Ron Wyden, Ranking Member of the Senate Finance Committee, ask Dr. Mehmet Oz, Administrator of the Centers for Medicare and Medicaid Services, to answer for how the highly sensitive personal information, including Social Security numbers, of health care providers ended up on the public provider directory portal, leaving these providers subject to a substantial risk of identity theft. “Reporting reveals that the provider directory exposed the Social Security numbers of health care providers, linked to their names and other personally identifiable information, on a public-facing federal website. This same reporting identified dozens of affected providers in a sample of database rows. Critically, it appears CMS failed to detect this exposure for weeks and learned of it only when reporters made inquiries. This is precisely the category of data that bad actors have long used to perpetuate identity theft, and the harm to affected providers and to program integrity cannot be undone,” wrote the senators. “This administration has repeatedly mishandled sensitive personal data entrusted to the federal government and has repeatedly resisted congressional oversight when those failures come to light,” the senators continued. In November, Merkley and Wyden demanded that Oz answer for the rushed launch of the Medicare Advantage provider directory tool that is riddled with erroneous, conflicting, and duplicative information. In their letter, Merkley and Wyden detail how the issues involved with the launch of this directory risk misleading millions of seniors as they compare plans and could cause beneficiaries to incur medical bills they reasonably believed would be covered. Merkley and Wyden’s letter to Oz can be found HERE or below. Dear Administrator Oz: In our letter to you on November 4, 2025, we warned that the rushed deployment of the Center for Medicare & Medicaid Services’ (CMS) Medicare provider directory posed serious risks to the millions of seniors relying on it to make informed choices for plan selection during open enrollment. We asked who authorized the accelerated timeline, what testing was completed, and what accountability mechanisms existed. Your March 24, 2026 response, which arrived several months into open enrollment, did not address those questions. The year-long special enrollment period CMS is a necessary remedy to protect beneficiaries, but it is also a tacit admission that the underlying system was not ready for deployment. We write again today with even greater concern. Reporting reveals that the provider directory exposed the Social Security numbers of health care providers, linked to their names and other personally identifiable information, on a public-facing federal website. [1] This same reporting identified dozens of affected providers in a sample of database rows. Critically, it appears CMS failed to detect this exposure for weeks and learned of it only when reporters made inquiries. This is precisely the category of data that bad actors have long used to perpetuate identity theft, and the harm to affected providers and to program integrity cannot be undone. We view this as part of a broader and deeply troubling pattern. When we wrote to you in November 2025, we stressed that the rushed deployment of this provider directory led to the erroneous information included in the database. This administration has repeatedly mishandled sensitive personal data entrusted to the federal government and has repeatedly resisted congressional oversight when those failures come to light. We therefore request written responses to the following questions no later than June 3, 2026 : The Incident: Timeline, Scope, and Notification Provide a chronological account of the incident, including when CMS first became aware that provider Social Security numbers (SSNs) had been exposed in the directory database; what actions were taken and at what times following that awareness; and which entities, including third-party contractors, were involved in said actions? Have you identified the full extent of the exposure? Has the exposure been remediated? If yes, please provide the precise start and end dates of the exposure window. How many providers’ SSNs were exposed in total? Please explain what purpose SSNs served in this database. Besides SSNs, was any other personally identifiable information (PII) exposed? Please provide details. Has CMS provided individual written notification to every provider whose PII was exposed in the database? If so, please provide the dates, means, and content of the notifications. Has CMS