For weeks this spring, the Social Security numbers of healthcare providers who treat Medicare Advantage patients were sitting in a publicly accessible government database, exposed to anyone who knew where to look. The database was connected to a new provider-directory portal built with involvement from the Department of Government Efficiency, and it went live without the privacy safeguards that the Centers for Medicare and Medicaid Services has maintained for years.
That is the central finding of a congressional oversight letter sent to CMS Administrator Mehmet Oz in May 2026 by Sens. Jeff Merkley and Ron Wyden. The senators say the same portal also displayed contradictory network information, labeling providers as both in-network and out-of-network, a flaw that could steer seniors toward doctors their plans do not cover and leave them holding surprise bills.
The portal was supposed to be a win for the more than 33 million Americans enrolled in Medicare Advantage as of the 2025 plan year, giving them a single, reliable place to find covered providers. Instead, it became a case study in what breaks when speed overrides the data protections federal agencies exist to enforce.
What the oversight letter documents
Merkley and Wyden describe a provider-directory tool whose rollout was driven by an acting DOGE official embedded at CMS. Their letter identifies two distinct failures.
The first is a network-accuracy problem. The portal showed contradictory in-network and out-of-network labels for the same providers. A beneficiary could schedule an appointment believing a doctor was covered, then receive a bill at out-of-network rates. For seniors on fixed incomes, that kind of billing surprise can mean choosing between paying the bill and paying for prescriptions.
The second failure is more alarming. A public-facing database tied to the portal contained full Social Security numbers for some clinicians. CMS has long maintained a strict separation between internal enrollment records and public provider data. The National Plan and Provider Enumeration System (NPPES) files that CMS distributes publicly include practice addresses, specialties, and National Provider Identifier numbers. They deliberately exclude Social Security numbers. That design is intentional: provider directories are meant to be open and searchable, so sensitive identifiers must be stripped before anything goes public.
According to the letter, the acting DOGE official pushed CMS staff to meet an aggressive launch date tied to the administration’s broader digital-modernization agenda. In the rush, standard data-field checks and privacy reviews were truncated or skipped. The senators write that “CMS staff later discovered that the back-end database connected to the portal included raw enrollment and credentialing data that had never been sanitized for public release,” including full Social Security numbers.
In a joint public statement, the senators called the rollout “disastrous” and wrote that the portal “put providers at risk of identity theft and threatened to steer seniors toward out-of-network doctors, raising costs for some of the most financially vulnerable patients in the federal health system.”
What CMS and DOGE have not said
As of late May 2026, CMS has not released a public statement addressing the incident. The agency has not confirmed how many providers had their Social Security numbers exposed, whether the portal has been taken offline or corrected, or whether the raw database is still accessible.
The senators’ letter describes the exposure lasting “weeks,” but it is important to note that this characterization comes solely from the oversight letter itself. No independent audit, CMS disclosure, or third-party investigation has verified the precise start and end dates of the exposure or its full scope. Without a formal breach notification, affected providers have no way to know for certain whether their data was compromised.
In past incidents involving sensitive data, CMS has followed a defined breach-response protocol: forensic review, mitigation, and direct notification of affected individuals. Federal agencies are also subject to breach-reporting requirements under the Federal Information Security Modernization Act (FISMA), which mandates disclosure to the Cybersecurity and Infrastructure Security Agency and the Office of Management and Budget. The absence of any comparable public announcement here raises the question of whether CMS has contained the problem, is still investigating, or disputes the senators’ account.
The identity and specific role of the acting DOGE official remain undisclosed. The oversight letter attributes the rushed timeline to that individual but does not name them. It is unclear whether CMS privacy officers or security staff reviewed the database configuration before launch, or whether those reviews were bypassed under deadline pressure.
There is also a technical problem that may be difficult to untangle. Because the portal was designed for open interoperability, the database could be queried or downloaded without user authentication. That means there may be no clean way to distinguish routine automated traffic, such as health plans syncing directories, from malicious scraping. Unless CMS maintained detailed access logs, determining whether SSNs were actually harvested by bad actors could prove nearly impossible.
Part of a broader pattern
The Medicare portal episode is not happening in isolation. DOGE personnel have been at the center of data-handling controversies at multiple federal agencies over the past year. At the Treasury Department, DOGE-affiliated staff gained access to payment systems containing taxpayer information, prompting a federal judge to order access restricted in early 2025. At the Office of Personnel Management, similar concerns arose over access to personnel records covering millions of federal employees. In several cases, inspectors general opened reviews.
That track record matters because it suggests the CMS exposure is not a one-off technical glitch. It reflects a recurring collision between the administration’s push for rapid digital overhaul and the layered review processes agencies use to prevent exactly this kind of failure. Provider directories are a transparency tool. Enrollment and credentialing databases contain information that can be weaponized for identity theft. Keeping those two categories separate is not red tape. It is a basic security requirement.
What providers and seniors should do
Providers who participate in Medicare Advantage networks and whose information may have been included in the portal’s database should act now rather than wait for CMS to confirm the scope of the exposure.
The most immediate step is placing a fraud alert with the three major credit bureaus: Equifax, Experian, and TransUnion. A fraud alert requires creditors to take extra verification steps before opening new accounts. Providers who want stronger protection can freeze their credit entirely, which blocks most new credit inquiries until the freeze is lifted. Both options are free under federal law.
Beyond credit protection, providers should review recent tax filings and banking records for unexplained changes and verify that no unauthorized claims have been filed using their National Provider Identifier. Providers who suspect their data was included can cross-reference their public listing through the NPI registry with any recent correspondence from Medicare Advantage plans, and contact CMS or their plan’s provider-relations office directly. If CMS follows its own precedent and confirms the breach, affected individuals should eventually receive direct notification and potentially credit-monitoring assistance.
Seniors enrolled in Medicare Advantage should treat any provider-directory listing as a starting point, not a guarantee. Before scheduling care, call both the provider’s office and your health plan to confirm network status. Write down the date, time, and name of any representative who confirms coverage. That documentation becomes critical if a service later gets billed at out-of-network rates. In those cases, patients can appeal the charge with their plan, citing the directory error and any records from pre-visit calls. Plans have, in past cases, reprocessed claims when their own directory mistakes contributed to the billing confusion.
What happens when CMS stays quiet
The most consequential question here is not technical. It is whether CMS will acknowledge what happened, explain how it happened, and commit to preventing a repeat. Congressional oversight letters carry institutional weight, but they are demands for answers, not answers themselves. Until CMS responds, the scope of the exposure, the number of affected providers, and the real-world consequences for patients all remain unknown.
What is already clear is that a tool promoted as an official government resource for vulnerable seniors introduced risks that no provider directory should carry. Merkley and Wyden have given CMS a deadline to respond. Whether the agency meets it, and what it says when it does, will determine whether this becomes a cautionary footnote or the opening chapter of a much larger accountability fight over how DOGE operates inside federal health programs.
