Be on the lookout for an uptick in Medicare rejections and denials for invalid Medical Beneficiary Identifiers (MBIs). CMS reissued account numbers to 47,000 beneficiaries after a data breach in late May.
On May 27, 2023, an unauthorized entity accessed the MOVEit file transfer application and copied files belonging to public and private institutions that used the software. Maximus, the Qualified Independent Contractor (QIC) that processes second-level appeals for DME suppliers, was one of those unlucky customers.
In its analysis of compromised files, Maximus determined that many of the files contained the personal information for thousands of Medicare beneficiaries, including:
- MBIs and social security numbers (SSNs).
- Dates of birth.
- Telephone numbers.
- Email addresses.
- Chart notes with diagnoses and treatment protocols.
To minimize Medicare’s risk exposure, CMS reissued 47,000 MBIs. It is the first large-scale reissuance that we are aware of since the introduction of the MBI in 2018.
DME MACs will not pay new claims submitted with deactivated MBIs, and suppliers providing active services to affected beneficiaries will encounter some disruption.
What DME Suppliers Should Do
CMS will reject or deny new claims for affected patients as “Invalid Member ID.” Going forward, suppliers must obtain and use the new MBI for claims and appeals, regardless of the MBI listed on the original EOB.
To obtain the new MBI, suppliers can:
- Query the MBI Lookup tools available on the DME MAC portals,
- Contact the patient directly, or
- Contact the referring physician.
MBI Lookup Tools
To query a new MBI on the DME MAC portals, suppliers will need the patient’s:
- First name.
- Last name.
- Date of birth.
- Social security number.
Since CMS designed the MBI to decouple Medicare identification from social security numbers, many suppliers no longer collect SSNs. Unfortunately, it is a required search element.
If the MBI Lookup tool is not a viable option, suppliers may also contact the patient or the treating practitioner. Assuming the physician has already secured the new MBI, HIPAA permits them to share it with the DME supplier for purposes for coordinating care.