Protect Your Medicare in 2026: Scam watch + breach checklist

Scammers ramp up right after Open Enrollment. Add in a couple of big 2025 security headlines, and January is the perfect time to tighten up your defenses. Here’s a quick, plain-English guide you can send to clients.

What changed lately (and why it matters)

• Change Healthcare breach—now confirmed at ~192.7 million people. HHS says the 2024 hack ultimately affected about 192.7M individuals, the largest U.S. health-care breach on record. If your providers or pharmacies used Change Healthcare for claims, parts of your data may be in the mix.
• Medicare.gov account incident (2025). CMS flagged unauthorized Medicare.gov accounts created using personal info from outside sources and notified affected beneficiaries in mid-2025. If you got a letter, take it seriously.

Top Medicare scams we’re seeing now

1. “New/updated Medicare card” calls
   Imposters claim you need to “activate” a new card and ask for your Medicare number or bank info. Real Medicare doesn’t call, text, or email out of the blue to ask for your numbers. Hang up. Report it.
2. “Flex card” bait-and-switch
   Medicare itself doesn’t hand out “free flex cards.” Some MA plans offer legit prepaid benefits—but scammers use fake plan sites and pushy calls to harvest your info. Verify benefits with your plan or your broker, not a cold call or ad.
3. Genetic/DNA cheek-swab pitches
   The long-running “free cancer test” scam is still around. Medicare only covers tests ordered by your treating clinician for medical need. Don’t share your number for pop-up screenings.
4. Hospice/home-health enrollment you never asked for
   Watch for anyone pressuring you to sign hospice or home-health forms you didn’t request. OIG continues to flag abuses here; talk to your doctor and broker before you sign anything.
5. General impersonator scams during OEP/AEP
   Spoofed caller IDs, emails, or texts claiming to be Medicare, “the FTC,” or your plan—often urgent and secretive. Urgency = red flag.

Quick steps to protect yourself in January

1) Lock down your Medicare.gov account

• Create (or update) your account with a strong password; Medicare notes the portal has built-in security features.
• If you received a CMS letter about an account created without your OK, follow the instructions immediately.

2) Guard your number

• Share your Medicare Beneficiary Identifier (MBI) only with your doctors, your plan, or your broker. CMS can issue a new MBI if it’s compromised.

3) Read your statements

• Scan your Medicare Summary Notice (MSN) or plan EOBs for unknown dates, providers, or services. Report anything off.

4) Know where to report

• 1-800-MEDICARE (1-800-633-4227) or the online fraud form at Medicare.gov. For Part D/drug issues, you can also call I-MEDIC at 1-877-7SAFERX. And tell the FTC at ReportFraud.FTC.gov.

5) If a breach touches you

• Consider a credit freeze or fraud alert and keep an eye on bank/credit reports. (FTC and SMP both recommend reporting impersonators and seeking local help.)

One-page “trust rules”

• If it’s urgent, secret, or pushy, it’s a scam.
• Medicare won’t call to sell you anything or ask for payment/MBI. Ever.
• No surprise tests or equipment. If you didn’t request it and your doctor didn’t order it, don’t share your info.

Want help reviewing your 2026 setup or suspicious mail/calls?

Send your broker your plan name and a photo of the letter or caller details. We’ll confirm what’s real, help you report fraud, and—if needed—start the process to get you a new Medicare number and clean up any bogus claims.