Larson Presses Secretary Kennedy and Dr. Oz on Unauthorized Public Release of Physician Social Security Numbers

Washington, D.C. - Today, House Social Security Subcommittee Ranking Member John B. Larson (CT-01) wrote to U.S. Secretary of Health and Human Services (HHS) Robert F. Kennedy Jr. and Centers for Medicare & Medicaid Services (CMS) Administrator Mehmet Oz, pressing for answers after 'DOGE' officials at CMS launched a portal that publicly disclosed the Social Security numbers of some doctors and medical providers.

"The Trump Administration's 'DOGE' cronies have been combing through the American people's personal records for over a year, and they cannot be trusted," said Larson. "Since then, we've learned of their work to use data to help overturn elections, and now, the public disclosure of physicians' individual Social Security numbers. I have demanded hearings, requested subpoenas, and introduced Resolutions of Inquiry to compel these bad actors to come forward and come clean. From Elon Musk to Dr. Oz, Trump officials have not only obstructed our probes, but they have enabled 'DOGE' at every step of the way. Americans deserve answers for this unforgiveable privacy breach that put doctors across the country as grave risk of identity theft."

Ranking Member Larson was joined by Ways and Means Committee Ranking Member Richard E. Neal (MA-01), Health Subcommittee Ranking Member Lloyd Doggett (TX-37), and Oversight Subcommittee Ranking Member Terri A. Sewell (AL-07).

"The mere fact that this sensitive information was sitting on a public website for an unknown period of time raises significant concerns about identity theft for the providers subject to the breach, as well as broader concerns about this Administration's handling of sensitive information," the lawmakers wrote. "This is the exact type of data that bad actors have used to defraud the Medicare program, and while the agency is working to remedy the problem, the harm has already been done."

"Ways and Means Democrats have repeatedly raised alarm over the Administration's reckless mishandling of highly sensitive Social Security data, sending multiple letters to the Social Security Administration (SSA) and introducing Resolutions of Inquiry to compel transparency when our requests for information went unanswered. Not only have the responses we have received from our letters been far from satisfactory, but they have also revealed a lack of concern regarding the privacy of Americans' personal data and the integrity of our public programs," they continued.

The Ranking Members demanded an immediate briefing on this "unforgiveable" data breach, and answers to the following questions:

1. When and how did CMS and/or Department of Health and Human Services (HHS) staff become aware of the data breach?

1. What was/is the relationship with CMS, HHS, and DOGE in developing and maintaining the provider directory website? Were/are DOGE staff involved? If so, please describe the nature of their involvement.

1. What contractors were used, if any, to develop or maintain the provider directory?

1. Did staff know about the data breach before being alerted by reporters at The Washington Post?

1. How long did it take before CMS staff removed the SSNs and other sensitive information from the Medicare provider directory website?

1. How many providers were exposed to this data breach? What has been the process for contacting these providers to alert them to the breach?

1. What sort of remedies is the Administration offering the providers who may have potentially had their identities stolen as a result of the CMS data breach?

1. What steps is CMS taking to ensure that fraudsters will not take advantage of the recklessness of exposing provider SSNs?

1. Were any other data inappropriately posted on the provider directory website? If so, which data?

1. What is CMS doing to ensure this type of episode does not happen again?

Their full letter to Secretary Kennedy and Administrator Oz is available HERE.