Democrats Scrutinize CMS’ Unintentional Leak Of Provider Social Security Numbers

Top congressional Democrats are demanding CMS explain how the agency accidentally revealed sensitive information about providers, including Social Security numbers, through a public release of National Provider Directory data. The Democrats also want to know what steps CMS is taking to protect providers whose identities could be stolen because of the leak and prevent future directory errors.

“This administration has repeatedly mishandled sensitive personal data entrusted to the federal government and has repeatedly resisted congressional oversight when those failures come to light,” wrote Oregon Democratic Sens. Ron Wyden and Jeff Merkley to CMS Administrator Mehmet Oz on Wednesday (May 20).

The National Provider Directory is a CMS-led collaboration with private companies to create a comprehensive database about U.S. providers and doctors. The project is at the heart of the Trump administration’s signature digital health initiative, expected to contribute to anti-fraud efforts and eventually help patients determine which health plans doctors accept, Inside Health Policy previously reported.

In late April, the Washington Post reported that a public release of National Provider Directory data accidentally included the Social Security numbers of dozens of providers, unbeknownst to individual doctors. CMS removed the data from the directory’s website, directory.cms.gov, around the time the outlet published a story but has since uploaded a different batch of data, IHP found.

Wyden and Merkley want CMS Administrator Mehmet Oz to answer a list of questions about the unintentional leak of sensitive provider information by June 3.

The senators want Oz to share how many providers had Social Security numbers leaked, whether other personally identifiable information was leaked, and whether providers whose information was leaked have been notified and have been offered identity theft protection.

The senators also want Oz to explain whether CMS will pause the National Provider Directory project pending review from HHS’ Office of Inspector General, and which contractors and Department of Government Efficiency (DOGE) officials are involved in the project.

The Oregon Democrats previously asked Oz to answer questions about the agency’s inclusion of provider information in the Medicare Advantage Plan Finder in Fall 2025. That project included incorrect information about which health plans doctors accept and is separate from the National Provider Directory project, Amy Gleason, a senior CMS advisor, previously told IHP.

Top House Democrats Reps. Richard Neal (MA), Lloyd Doggett (TX), John Larson (CT) and Terri Sewell (AL) are also concerned about the directory’s leak of doctors’ Social Security numbers and the MA Plan Finder. The lawmakers requested that their staff receive a briefing on the directory leak in a May 11 letter to Oz and HHS Secretary Robert F. Kennedy Jr.

They want Oz and Kennedy to reveal when HHS learned of the leak, the DOGE officials involved in the directory project, how long it took CMS to remove provider information from its website, the remedies CMS is offering providers and how CMS plans to ensure future snafus do not occur. Spokespeople for the four lawmakers did not respond to a request for comment by time of publication.

CMS published data on directory.cms.gov in early April to ask private companies for help in ensuring the provider data the agency has gathered is accurate and up to date.